--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 23 Apr 2022 21:11:41 +0200
+Subject: alpha: define get_cycles macro for arch-override
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 1097710bc9660e1e588cf2186a35db3d95c4d258 upstream.
+
+Alpha defines a get_cycles() function, but it does not do the usual
+`#define get_cycles get_cycles` dance, making it impossible for generic
+code to see if an arch-specific function was defined. While the
+get_cycles() ifdef is not currently used, the following timekeeping
+patch in this series will depend on the macro existing (or not existing)
+when defining random_get_entropy().
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Acked-by: Matt Turner <mattst88@gmail.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/alpha/include/asm/timex.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/alpha/include/asm/timex.h
++++ b/arch/alpha/include/asm/timex.h
+@@ -28,5 +28,6 @@ static inline cycles_t get_cycles (void)
+ __asm__ __volatile__ ("rpcc %0" : "=r"(ret));
+ return ret;
+ }
++#define get_cycles get_cycles
+
+ #endif
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 8 Apr 2022 18:03:13 +0200
+Subject: arm: use fallback for random_get_entropy() instead of zero
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit ff8a8f59c99f6a7c656387addc4d9f2247d75077 upstream.
+
+In the event that random_get_entropy() can't access a cycle counter or
+similar, falling back to returning 0 is really not the best we can do.
+Instead, at least calling random_get_entropy_fallback() would be
+preferable, because that always needs to return _something_, even
+falling back to jiffies eventually. It's not as though
+random_get_entropy_fallback() is super high precision or guaranteed to
+be entropic, but basically anything that's not zero all the time is
+better than returning zero all the time.
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/include/asm/timex.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/include/asm/timex.h
++++ b/arch/arm/include/asm/timex.h
+@@ -14,5 +14,6 @@
+
+ typedef unsigned long cycles_t;
+ #define get_cycles() ({ cycles_t c; read_current_timer(&c) ? 0 : c; })
++#define random_get_entropy() (((unsigned long)get_cycles()) ?: random_get_entropy_fallback())
+
+ #endif
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Borislav Petkov <bp@alien8.de>
+Date: Tue, 1 Oct 2019 19:50:23 +0200
+Subject: char/random: Add a newline at the end of the file
+
+From: Borislav Petkov <bp@alien8.de>
+
+commit 3fd57e7a9e66b9a8bcbf0560ff09e84d0b8de1bd upstream.
+
+On Tue, Oct 01, 2019 at 10:14:40AM -0700, Linus Torvalds wrote:
+> The previous state of the file didn't have that 0xa at the end, so you get that
+>
+>
+> -EXPORT_SYMBOL_GPL(add_bootloader_randomness);
+> \ No newline at end of file
+> +EXPORT_SYMBOL_GPL(add_bootloader_randomness);
+>
+> which is "the '-' line doesn't have a newline, the '+' line does" marker.
+
+Aaha, that makes total sense, thanks for explaining. Oh well, let's fix
+it then so that people don't scratch heads like me.
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -2451,4 +2451,4 @@ void add_bootloader_randomness(const voi
+ else
+ add_device_randomness(buf, size);
+ }
+-EXPORT_SYMBOL_GPL(add_bootloader_randomness);
+\ No newline at end of file
++EXPORT_SYMBOL_GPL(add_bootloader_randomness);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+Date: Wed, 13 Nov 2019 16:16:25 -0500
+Subject: char/random: silence a lockdep splat with printk()
+
+From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+
+[ Upstream commit 1b710b1b10eff9d46666064ea25f079f70bc67a8 ]
+
+Sergey didn't like the locking order,
+
+uart_port->lock -> tty_port->lock
+
+uart_write (uart_port->lock)
+ __uart_start
+ pl011_start_tx
+ pl011_tx_chars
+ uart_write_wakeup
+ tty_port_tty_wakeup
+ tty_port_default
+ tty_port_tty_get (tty_port->lock)
+
+but those code is so old, and I have no clue how to de-couple it after
+checking other locks in the splat. There is an onging effort to make all
+printk() as deferred, so until that happens, workaround it for now as a
+short-term fix.
+
+LTP: starting iogen01 (export LTPROOT; rwtest -N iogen01 -i 120s -s
+read,write -Da -Dv -n 2 500b:$TMPDIR/doio.f1.$$
+1000b:$TMPDIR/doio.f2.$$)
+WARNING: possible circular locking dependency detected
+------------------------------------------------------
+doio/49441 is trying to acquire lock:
+ffff008b7cff7290 (&(&zone->lock)->rlock){..-.}, at: rmqueue+0x138/0x2050
+
+but task is already holding lock:
+60ff000822352818 (&pool->lock/1){-.-.}, at: start_flush_work+0xd8/0x3f0
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #4 (&pool->lock/1){-.-.}:
+ lock_acquire+0x320/0x360
+ _raw_spin_lock+0x64/0x80
+ __queue_work+0x4b4/0xa10
+ queue_work_on+0xac/0x11c
+ tty_schedule_flip+0x84/0xbc
+ tty_flip_buffer_push+0x1c/0x28
+ pty_write+0x98/0xd0
+ n_tty_write+0x450/0x60c
+ tty_write+0x338/0x474
+ __vfs_write+0x88/0x214
+ vfs_write+0x12c/0x1a4
+ redirected_tty_write+0x90/0xdc
+ do_loop_readv_writev+0x140/0x180
+ do_iter_write+0xe0/0x10c
+ vfs_writev+0x134/0x1cc
+ do_writev+0xbc/0x130
+ __arm64_sys_writev+0x58/0x8c
+ el0_svc_handler+0x170/0x240
+ el0_sync_handler+0x150/0x250
+ el0_sync+0x164/0x180
+
+ -> #3 (&(&port->lock)->rlock){-.-.}:
+ lock_acquire+0x320/0x360
+ _raw_spin_lock_irqsave+0x7c/0x9c
+ tty_port_tty_get+0x24/0x60
+ tty_port_default_wakeup+0x1c/0x3c
+ tty_port_tty_wakeup+0x34/0x40
+ uart_write_wakeup+0x28/0x44
+ pl011_tx_chars+0x1b8/0x270
+ pl011_start_tx+0x24/0x70
+ __uart_start+0x5c/0x68
+ uart_write+0x164/0x1c8
+ do_output_char+0x33c/0x348
+ n_tty_write+0x4bc/0x60c
+ tty_write+0x338/0x474
+ redirected_tty_write+0xc0/0xdc
+ do_loop_readv_writev+0x140/0x180
+ do_iter_write+0xe0/0x10c
+ vfs_writev+0x134/0x1cc
+ do_writev+0xbc/0x130
+ __arm64_sys_writev+0x58/0x8c
+ el0_svc_handler+0x170/0x240
+ el0_sync_handler+0x150/0x250
+ el0_sync+0x164/0x180
+
+ -> #2 (&port_lock_key){-.-.}:
+ lock_acquire+0x320/0x360
+ _raw_spin_lock+0x64/0x80
+ pl011_console_write+0xec/0x2cc
+ console_unlock+0x794/0x96c
+ vprintk_emit+0x260/0x31c
+ vprintk_default+0x54/0x7c
+ vprintk_func+0x218/0x254
+ printk+0x7c/0xa4
+ register_console+0x734/0x7b0
+ uart_add_one_port+0x734/0x834
+ pl011_register_port+0x6c/0xac
+ sbsa_uart_probe+0x234/0x2ec
+ platform_drv_probe+0xd4/0x124
+ really_probe+0x250/0x71c
+ driver_probe_device+0xb4/0x200
+ __device_attach_driver+0xd8/0x188
+ bus_for_each_drv+0xbc/0x110
+ __device_attach+0x120/0x220
+ device_initial_probe+0x20/0x2c
+ bus_probe_device+0x54/0x100
+ device_add+0xae8/0xc2c
+ platform_device_add+0x278/0x3b8
+ platform_device_register_full+0x238/0x2ac
+ acpi_create_platform_device+0x2dc/0x3a8
+ acpi_bus_attach+0x390/0x3cc
+ acpi_bus_attach+0x108/0x3cc
+ acpi_bus_attach+0x108/0x3cc
+ acpi_bus_attach+0x108/0x3cc
+ acpi_bus_scan+0x7c/0xb0
+ acpi_scan_init+0xe4/0x304
+ acpi_init+0x100/0x114
+ do_one_initcall+0x348/0x6a0
+ do_initcall_level+0x190/0x1fc
+ do_basic_setup+0x34/0x4c
+ kernel_init_freeable+0x19c/0x260
+ kernel_init+0x18/0x338
+ ret_from_fork+0x10/0x18
+
+ -> #1 (console_owner){-...}:
+ lock_acquire+0x320/0x360
+ console_lock_spinning_enable+0x6c/0x7c
+ console_unlock+0x4f8/0x96c
+ vprintk_emit+0x260/0x31c
+ vprintk_default+0x54/0x7c
+ vprintk_func+0x218/0x254
+ printk+0x7c/0xa4
+ get_random_u64+0x1c4/0x1dc
+ shuffle_pick_tail+0x40/0xac
+ __free_one_page+0x424/0x710
+ free_one_page+0x70/0x120
+ __free_pages_ok+0x61c/0xa94
+ __free_pages_core+0x1bc/0x294
+ memblock_free_pages+0x38/0x48
+ __free_pages_memory+0xcc/0xfc
+ __free_memory_core+0x70/0x78
+ free_low_memory_core_early+0x148/0x18c
+ memblock_free_all+0x18/0x54
+ mem_init+0xb4/0x17c
+ mm_init+0x14/0x38
+ start_kernel+0x19c/0x530
+
+ -> #0 (&(&zone->lock)->rlock){..-.}:
+ validate_chain+0xf6c/0x2e2c
+ __lock_acquire+0x868/0xc2c
+ lock_acquire+0x320/0x360
+ _raw_spin_lock+0x64/0x80
+ rmqueue+0x138/0x2050
+ get_page_from_freelist+0x474/0x688
+ __alloc_pages_nodemask+0x3b4/0x18dc
+ alloc_pages_current+0xd0/0xe0
+ alloc_slab_page+0x2b4/0x5e0
+ new_slab+0xc8/0x6bc
+ ___slab_alloc+0x3b8/0x640
+ kmem_cache_alloc+0x4b4/0x588
+ __debug_object_init+0x778/0x8b4
+ debug_object_init_on_stack+0x40/0x50
+ start_flush_work+0x16c/0x3f0
+ __flush_work+0xb8/0x124
+ flush_work+0x20/0x30
+ xlog_cil_force_lsn+0x88/0x204 [xfs]
+ xfs_log_force_lsn+0x128/0x1b8 [xfs]
+ xfs_file_fsync+0x3c4/0x488 [xfs]
+ vfs_fsync_range+0xb0/0xd0
+ generic_write_sync+0x80/0xa0 [xfs]
+ xfs_file_buffered_aio_write+0x66c/0x6e4 [xfs]
+ xfs_file_write_iter+0x1a0/0x218 [xfs]
+ __vfs_write+0x1cc/0x214
+ vfs_write+0x12c/0x1a4
+ ksys_write+0xb0/0x120
+ __arm64_sys_write+0x54/0x88
+ el0_svc_handler+0x170/0x240
+ el0_sync_handler+0x150/0x250
+ el0_sync+0x164/0x180
+
+ other info that might help us debug this:
+
+ Chain exists of:
+ &(&zone->lock)->rlock --> &(&port->lock)->rlock --> &pool->lock/1
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&pool->lock/1);
+ lock(&(&port->lock)->rlock);
+ lock(&pool->lock/1);
+ lock(&(&zone->lock)->rlock);
+
+ *** DEADLOCK ***
+
+4 locks held by doio/49441:
+ #0: a0ff00886fc27408 (sb_writers#8){.+.+}, at: vfs_write+0x118/0x1a4
+ #1: 8fff00080810dfe0 (&xfs_nondir_ilock_class){++++}, at:
+xfs_ilock+0x2a8/0x300 [xfs]
+ #2: ffff9000129f2390 (rcu_read_lock){....}, at:
+rcu_lock_acquire+0x8/0x38
+ #3: 60ff000822352818 (&pool->lock/1){-.-.}, at:
+start_flush_work+0xd8/0x3f0
+
+ stack backtrace:
+CPU: 48 PID: 49441 Comm: doio Tainted: G W
+Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS
+L50_5.13_1.11 06/18/2019
+Call trace:
+ dump_backtrace+0x0/0x248
+ show_stack+0x20/0x2c
+ dump_stack+0xe8/0x150
+ print_circular_bug+0x368/0x380
+ check_noncircular+0x28c/0x294
+ validate_chain+0xf6c/0x2e2c
+ __lock_acquire+0x868/0xc2c
+ lock_acquire+0x320/0x360
+ _raw_spin_lock+0x64/0x80
+ rmqueue+0x138/0x2050
+ get_page_from_freelist+0x474/0x688
+ __alloc_pages_nodemask+0x3b4/0x18dc
+ alloc_pages_current+0xd0/0xe0
+ alloc_slab_page+0x2b4/0x5e0
+ new_slab+0xc8/0x6bc
+ ___slab_alloc+0x3b8/0x640
+ kmem_cache_alloc+0x4b4/0x588
+ __debug_object_init+0x778/0x8b4
+ debug_object_init_on_stack+0x40/0x50
+ start_flush_work+0x16c/0x3f0
+ __flush_work+0xb8/0x124
+ flush_work+0x20/0x30
+ xlog_cil_force_lsn+0x88/0x204 [xfs]
+ xfs_log_force_lsn+0x128/0x1b8 [xfs]
+ xfs_file_fsync+0x3c4/0x488 [xfs]
+ vfs_fsync_range+0xb0/0xd0
+ generic_write_sync+0x80/0xa0 [xfs]
+ xfs_file_buffered_aio_write+0x66c/0x6e4 [xfs]
+ xfs_file_write_iter+0x1a0/0x218 [xfs]
+ __vfs_write+0x1cc/0x214
+ vfs_write+0x12c/0x1a4
+ ksys_write+0xb0/0x120
+ __arm64_sys_write+0x54/0x88
+ el0_svc_handler+0x170/0x240
+ el0_sync_handler+0x150/0x250
+ el0_sync+0x164/0x180
+
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+Signed-off-by: Qian Cai <cai@lca.pw>
+Link: https://lore.kernel.org/r/1573679785-21068-1-git-send-email-cai@lca.pw
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1687,8 +1687,9 @@ static void _warn_unseeded_randomness(co
+ print_once = true;
+ #endif
+ if (__ratelimit(&unseeded_warning))
+- pr_notice("random: %s called from %pS with crng_init=%d\n",
+- func_name, caller, crng_init);
++ printk_deferred(KERN_NOTICE "random: %s called from %pS "
++ "with crng_init=%d\n", func_name, caller,
++ crng_init);
+ }
+
+ /*
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 23 Dec 2020 00:09:57 -0800
+Subject: crypto: blake2s - adjust include guard naming
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 8786841bc2020f7f2513a6c74e64912f07b9c0dc upstream.
+
+Use the full path in the include guards for the BLAKE2s headers to avoid
+ambiguity and to match the convention for most files in include/crypto/.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/crypto/blake2s.h | 6 +++---
+ include/crypto/internal/blake2s.h | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/include/crypto/blake2s.h
++++ b/include/crypto/blake2s.h
+@@ -3,8 +3,8 @@
+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ */
+
+-#ifndef BLAKE2S_H
+-#define BLAKE2S_H
++#ifndef _CRYPTO_BLAKE2S_H
++#define _CRYPTO_BLAKE2S_H
+
+ #include <linux/bug.h>
+ #include <linux/types.h>
+@@ -99,4 +99,4 @@ static inline void blake2s(u8 *out, cons
+ blake2s_final(&state, out);
+ }
+
+-#endif /* BLAKE2S_H */
++#endif /* _CRYPTO_BLAKE2S_H */
+--- a/include/crypto/internal/blake2s.h
++++ b/include/crypto/internal/blake2s.h
+@@ -1,7 +1,7 @@
+ /* SPDX-License-Identifier: GPL-2.0 OR MIT */
+
+-#ifndef BLAKE2S_INTERNAL_H
+-#define BLAKE2S_INTERNAL_H
++#ifndef _CRYPTO_INTERNAL_BLAKE2S_H
++#define _CRYPTO_INTERNAL_BLAKE2S_H
+
+ #include <crypto/blake2s.h>
+
+@@ -16,4 +16,4 @@ static inline void blake2s_set_lastblock
+ state->f[0] = -1;
+ }
+
+-#endif /* BLAKE2S_INTERNAL_H */
++#endif /* _CRYPTO_INTERNAL_BLAKE2S_H */
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 8 Nov 2019 13:22:28 +0100
+Subject: crypto: blake2s - generic C library implementation and selftest
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 66d7fb94e4ffe5acc589e0b2b4710aecc1f07a28 upstream.
+
+The C implementation was originally based on Samuel Neves' public
+domain reference implementation but has since been heavily modified
+for the kernel. We're able to do compile-time optimizations by moving
+some scaffolding around the final function into the header file.
+
+Information: https://blake2.net/
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
+Co-developed-by: Samuel Neves <sneves@dei.uc.pt>
+[ardb: - move from lib/zinc to lib/crypto
+ - remove simd handling
+ - rewrote selftest for better coverage
+ - use fixed digest length for blake2s_hmac() and rename to
+ blake2s256_hmac() ]
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+[Jason: for stable, skip kconfig and wire up directly, and skip the arch
+ hooks; optimized implementations need not be backported.]
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/crypto/blake2s.h | 106 ++++++
+ include/crypto/internal/blake2s.h | 19 +
+ lib/Makefile | 2
+ lib/crypto/Makefile | 7
+ lib/crypto/blake2s-generic.c | 111 ++++++
+ lib/crypto/blake2s-selftest.c | 622 ++++++++++++++++++++++++++++++++++++++
+ lib/crypto/blake2s.c | 115 +++++++
+ 7 files changed, 982 insertions(+)
+ create mode 100644 include/crypto/blake2s.h
+ create mode 100644 include/crypto/internal/blake2s.h
+ create mode 100644 lib/crypto/Makefile
+ create mode 100644 lib/crypto/blake2s-generic.c
+ create mode 100644 lib/crypto/blake2s-selftest.c
+ create mode 100644 lib/crypto/blake2s.c
+
+--- /dev/null
++++ b/include/crypto/blake2s.h
+@@ -0,0 +1,106 @@
++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
++/*
++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
++ */
++
++#ifndef BLAKE2S_H
++#define BLAKE2S_H
++
++#include <linux/types.h>
++#include <linux/kernel.h>
++#include <linux/string.h>
++
++#include <asm/bug.h>
++
++enum blake2s_lengths {
++ BLAKE2S_BLOCK_SIZE = 64,
++ BLAKE2S_HASH_SIZE = 32,
++ BLAKE2S_KEY_SIZE = 32,
++
++ BLAKE2S_128_HASH_SIZE = 16,
++ BLAKE2S_160_HASH_SIZE = 20,
++ BLAKE2S_224_HASH_SIZE = 28,
++ BLAKE2S_256_HASH_SIZE = 32,
++};
++
++struct blake2s_state {
++ u32 h[8];
++ u32 t[2];
++ u32 f[2];
++ u8 buf[BLAKE2S_BLOCK_SIZE];
++ unsigned int buflen;
++ unsigned int outlen;
++};
++
++enum blake2s_iv {
++ BLAKE2S_IV0 = 0x6A09E667UL,
++ BLAKE2S_IV1 = 0xBB67AE85UL,
++ BLAKE2S_IV2 = 0x3C6EF372UL,
++ BLAKE2S_IV3 = 0xA54FF53AUL,
++ BLAKE2S_IV4 = 0x510E527FUL,
++ BLAKE2S_IV5 = 0x9B05688CUL,
++ BLAKE2S_IV6 = 0x1F83D9ABUL,
++ BLAKE2S_IV7 = 0x5BE0CD19UL,
++};
++
++void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen);
++void blake2s_final(struct blake2s_state *state, u8 *out);
++
++static inline void blake2s_init_param(struct blake2s_state *state,
++ const u32 param)
++{
++ *state = (struct blake2s_state){{
++ BLAKE2S_IV0 ^ param,
++ BLAKE2S_IV1,
++ BLAKE2S_IV2,
++ BLAKE2S_IV3,
++ BLAKE2S_IV4,
++ BLAKE2S_IV5,
++ BLAKE2S_IV6,
++ BLAKE2S_IV7,
++ }};
++}
++
++static inline void blake2s_init(struct blake2s_state *state,
++ const size_t outlen)
++{
++ blake2s_init_param(state, 0x01010000 | outlen);
++ state->outlen = outlen;
++}
++
++static inline void blake2s_init_key(struct blake2s_state *state,
++ const size_t outlen, const void *key,
++ const size_t keylen)
++{
++ WARN_ON(IS_ENABLED(DEBUG) && (!outlen || outlen > BLAKE2S_HASH_SIZE ||
++ !key || !keylen || keylen > BLAKE2S_KEY_SIZE));
++
++ blake2s_init_param(state, 0x01010000 | keylen << 8 | outlen);
++ memcpy(state->buf, key, keylen);
++ state->buflen = BLAKE2S_BLOCK_SIZE;
++ state->outlen = outlen;
++}
++
++static inline void blake2s(u8 *out, const u8 *in, const u8 *key,
++ const size_t outlen, const size_t inlen,
++ const size_t keylen)
++{
++ struct blake2s_state state;
++
++ WARN_ON(IS_ENABLED(DEBUG) && ((!in && inlen > 0) || !out || !outlen ||
++ outlen > BLAKE2S_HASH_SIZE || keylen > BLAKE2S_KEY_SIZE ||
++ (!key && keylen)));
++
++ if (keylen)
++ blake2s_init_key(&state, outlen, key, keylen);
++ else
++ blake2s_init(&state, outlen);
++
++ blake2s_update(&state, in, inlen);
++ blake2s_final(&state, out);
++}
++
++void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
++ const size_t keylen);
++
++#endif /* BLAKE2S_H */
+--- /dev/null
++++ b/include/crypto/internal/blake2s.h
+@@ -0,0 +1,19 @@
++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
++
++#ifndef BLAKE2S_INTERNAL_H
++#define BLAKE2S_INTERNAL_H
++
++#include <crypto/blake2s.h>
++
++void blake2s_compress_generic(struct blake2s_state *state,const u8 *block,
++ size_t nblocks, const u32 inc);
++
++void blake2s_compress_arch(struct blake2s_state *state,const u8 *block,
++ size_t nblocks, const u32 inc);
++
++static inline void blake2s_set_lastblock(struct blake2s_state *state)
++{
++ state->f[0] = -1;
++}
++
++#endif /* BLAKE2S_INTERNAL_H */
+--- a/lib/Makefile
++++ b/lib/Makefile
+@@ -262,3 +262,5 @@ CFLAGS_ubsan.o := $(call cc-option, -fno
+ obj-$(CONFIG_SBITMAP) += sbitmap.o
+
+ obj-$(CONFIG_PARMAN) += parman.o
++
++obj-y += crypto/
+--- /dev/null
++++ b/lib/crypto/Makefile
+@@ -0,0 +1,7 @@
++# SPDX-License-Identifier: GPL-2.0
++
++obj-y += libblake2s.o
++libblake2s-y += blake2s.o blake2s-generic.o
++ifneq ($(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS),y)
++libblake2s-y += blake2s-selftest.o
++endif
+--- /dev/null
++++ b/lib/crypto/blake2s-generic.c
+@@ -0,0 +1,111 @@
++// SPDX-License-Identifier: GPL-2.0 OR MIT
++/*
++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
++ *
++ * This is an implementation of the BLAKE2s hash and PRF functions.
++ *
++ * Information: https://blake2.net/
++ *
++ */
++
++#include <crypto/internal/blake2s.h>
++#include <linux/types.h>
++#include <linux/string.h>
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/init.h>
++#include <linux/bug.h>
++#include <asm/unaligned.h>
++
++static const u8 blake2s_sigma[10][16] = {
++ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
++ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
++ { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
++ { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
++ { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
++ { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
++ { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
++ { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
++ { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
++ { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
++};
++
++static inline void blake2s_increment_counter(struct blake2s_state *state,
++ const u32 inc)
++{
++ state->t[0] += inc;
++ state->t[1] += (state->t[0] < inc);
++}
++
++void blake2s_compress_generic(struct blake2s_state *state,const u8 *block,
++ size_t nblocks, const u32 inc)
++{
++ u32 m[16];
++ u32 v[16];
++ int i;
++
++ WARN_ON(IS_ENABLED(DEBUG) &&
++ (nblocks > 1 && inc != BLAKE2S_BLOCK_SIZE));
++
++ while (nblocks > 0) {
++ blake2s_increment_counter(state, inc);
++ memcpy(m, block, BLAKE2S_BLOCK_SIZE);
++ le32_to_cpu_array(m, ARRAY_SIZE(m));
++ memcpy(v, state->h, 32);
++ v[ 8] = BLAKE2S_IV0;
++ v[ 9] = BLAKE2S_IV1;
++ v[10] = BLAKE2S_IV2;
++ v[11] = BLAKE2S_IV3;
++ v[12] = BLAKE2S_IV4 ^ state->t[0];
++ v[13] = BLAKE2S_IV5 ^ state->t[1];
++ v[14] = BLAKE2S_IV6 ^ state->f[0];
++ v[15] = BLAKE2S_IV7 ^ state->f[1];
++
++#define G(r, i, a, b, c, d) do { \
++ a += b + m[blake2s_sigma[r][2 * i + 0]]; \
++ d = ror32(d ^ a, 16); \
++ c += d; \
++ b = ror32(b ^ c, 12); \
++ a += b + m[blake2s_sigma[r][2 * i + 1]]; \
++ d = ror32(d ^ a, 8); \
++ c += d; \
++ b = ror32(b ^ c, 7); \
++} while (0)
++
++#define ROUND(r) do { \
++ G(r, 0, v[0], v[ 4], v[ 8], v[12]); \
++ G(r, 1, v[1], v[ 5], v[ 9], v[13]); \
++ G(r, 2, v[2], v[ 6], v[10], v[14]); \
++ G(r, 3, v[3], v[ 7], v[11], v[15]); \
++ G(r, 4, v[0], v[ 5], v[10], v[15]); \
++ G(r, 5, v[1], v[ 6], v[11], v[12]); \
++ G(r, 6, v[2], v[ 7], v[ 8], v[13]); \
++ G(r, 7, v[3], v[ 4], v[ 9], v[14]); \
++} while (0)
++ ROUND(0);
++ ROUND(1);
++ ROUND(2);
++ ROUND(3);
++ ROUND(4);
++ ROUND(5);
++ ROUND(6);
++ ROUND(7);
++ ROUND(8);
++ ROUND(9);
++
++#undef G
++#undef ROUND
++
++ for (i = 0; i < 8; ++i)
++ state->h[i] ^= v[i] ^ v[i + 8];
++
++ block += BLAKE2S_BLOCK_SIZE;
++ --nblocks;
++ }
++}
++
++EXPORT_SYMBOL(blake2s_compress_generic);
++
++MODULE_LICENSE("GPL v2");
++MODULE_DESCRIPTION("BLAKE2s hash function");
++MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>");
+--- /dev/null
++++ b/lib/crypto/blake2s-selftest.c
+@@ -0,0 +1,622 @@
++// SPDX-License-Identifier: GPL-2.0 OR MIT
++/*
++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
++ */
++
++#include <crypto/blake2s.h>
++#include <linux/string.h>
++
++/*
++ * blake2s_testvecs[] generated with the program below (using libb2-dev and
++ * libssl-dev [OpenSSL])
++ *
++ * #include <blake2.h>
++ * #include <stdint.h>
++ * #include <stdio.h>
++ *
++ * #include <openssl/evp.h>
++ * #include <openssl/hmac.h>
++ *
++ * #define BLAKE2S_TESTVEC_COUNT 256
++ *
++ * static void print_vec(const uint8_t vec[], int len)
++ * {
++ * int i;
++ *
++ * printf(" { ");
++ * for (i = 0; i < len; i++) {
++ * if (i && (i % 12) == 0)
++ * printf("\n ");
++ * printf("0x%02x, ", vec[i]);
++ * }
++ * printf("},\n");
++ * }
++ *
++ * int main(void)
++ * {
++ * uint8_t key[BLAKE2S_KEYBYTES];
++ * uint8_t buf[BLAKE2S_TESTVEC_COUNT];
++ * uint8_t hash[BLAKE2S_OUTBYTES];
++ * int i, j;
++ *
++ * key[0] = key[1] = 1;
++ * for (i = 2; i < BLAKE2S_KEYBYTES; ++i)
++ * key[i] = key[i - 2] + key[i - 1];
++ *
++ * for (i = 0; i < BLAKE2S_TESTVEC_COUNT; ++i)
++ * buf[i] = (uint8_t)i;
++ *
++ * printf("static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n");
++ *
++ * for (i = 0; i < BLAKE2S_TESTVEC_COUNT; ++i) {
++ * int outlen = 1 + i % BLAKE2S_OUTBYTES;
++ * int keylen = (13 * i) % (BLAKE2S_KEYBYTES + 1);
++ *
++ * blake2s(hash, buf, key + BLAKE2S_KEYBYTES - keylen, outlen, i,
++ * keylen);
++ * print_vec(hash, outlen);
++ * }
++ * printf("};\n\n");
++ *
++ * printf("static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n");
++ *
++ * HMAC(EVP_blake2s256(), key, sizeof(key), buf, sizeof(buf), hash, NULL);
++ * print_vec(hash, BLAKE2S_OUTBYTES);
++ *
++ * HMAC(EVP_blake2s256(), buf, sizeof(buf), key, sizeof(key), hash, NULL);
++ * print_vec(hash, BLAKE2S_OUTBYTES);
++ *
++ * printf("};\n");
++ *
++ * return 0;
++ *}
++ */
++static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
++ { 0xa1, },
++ { 0x7c, 0x89, },
++ { 0x74, 0x0e, 0xd4, },
++ { 0x47, 0x0c, 0x21, 0x15, },
++ { 0x18, 0xd6, 0x9c, 0xa6, 0xc4, },
++ { 0x13, 0x5d, 0x16, 0x63, 0x2e, 0xf9, },
++ { 0x2c, 0xb5, 0x04, 0xb7, 0x99, 0xe2, 0x73, },
++ { 0x9a, 0x0f, 0xd2, 0x39, 0xd6, 0x68, 0x1b, 0x92, },
++ { 0xc8, 0xde, 0x7a, 0xea, 0x2f, 0xf4, 0xd2, 0xe3, 0x2b, },
++ { 0x5b, 0xf9, 0x43, 0x52, 0x0c, 0x12, 0xba, 0xb5, 0x93, 0x9f, },
++ { 0xc6, 0x2c, 0x4e, 0x80, 0xfc, 0x32, 0x5b, 0x33, 0xb8, 0xb8, 0x0a, },
++ { 0xa7, 0x5c, 0xfd, 0x3a, 0xcc, 0xbf, 0x90, 0xca, 0xb7, 0x97, 0xde, 0xd8, },
++ { 0x66, 0xca, 0x3c, 0xc4, 0x19, 0xef, 0x92, 0x66, 0x3f, 0x21, 0x8f, 0xda,
++ 0xb7, },
++ { 0xba, 0xe5, 0xbb, 0x30, 0x25, 0x94, 0x6d, 0xc3, 0x89, 0x09, 0xc4, 0x25,
++ 0x52, 0x3e, },
++ { 0xa2, 0xef, 0x0e, 0x52, 0x0b, 0x5f, 0xa2, 0x01, 0x6d, 0x0a, 0x25, 0xbc,
++ 0x57, 0xe2, 0x27, },
++ { 0x4f, 0xe0, 0xf9, 0x52, 0x12, 0xda, 0x84, 0xb7, 0xab, 0xae, 0xb0, 0xa6,
++ 0x47, 0x2a, 0xc7, 0xf5, },
++ { 0x56, 0xe7, 0xa8, 0x1c, 0x4c, 0xca, 0xed, 0x90, 0x31, 0xec, 0x87, 0x43,
++ 0xe7, 0x72, 0x08, 0xec, 0xbe, },
++ { 0x7e, 0xdf, 0x80, 0x1c, 0x93, 0x33, 0xfd, 0x53, 0x44, 0xba, 0xfd, 0x96,
++ 0xe1, 0xbb, 0xb5, 0x65, 0xa5, 0x00, },
++ { 0xec, 0x6b, 0xed, 0xf7, 0x7b, 0x62, 0x1d, 0x7d, 0xf4, 0x82, 0xf3, 0x1e,
++ 0x18, 0xff, 0x2b, 0xc4, 0x06, 0x20, 0x2a, },
++ { 0x74, 0x98, 0xd7, 0x68, 0x63, 0xed, 0x87, 0xe4, 0x5d, 0x8d, 0x9e, 0x1d,
++ 0xfd, 0x2a, 0xbb, 0x86, 0xac, 0xe9, 0x2a, 0x89, },
++ { 0x89, 0xc3, 0x88, 0xce, 0x2b, 0x33, 0x1e, 0x10, 0xd1, 0x37, 0x20, 0x86,
++ 0x28, 0x43, 0x70, 0xd9, 0xfb, 0x96, 0xd9, 0xb5, 0xd3, },
++ { 0xcb, 0x56, 0x74, 0x41, 0x8d, 0x80, 0x01, 0x9a, 0x6b, 0x38, 0xe1, 0x41,
++ 0xad, 0x9c, 0x62, 0x74, 0xce, 0x35, 0xd5, 0x6c, 0x89, 0x6e, },
++ { 0x79, 0xaf, 0x94, 0x59, 0x99, 0x26, 0xe1, 0xc9, 0x34, 0xfe, 0x7c, 0x22,
++ 0xf7, 0x43, 0xd7, 0x65, 0xd4, 0x48, 0x18, 0xac, 0x3d, 0xfd, 0x93, },
++ { 0x85, 0x0d, 0xff, 0xb8, 0x3e, 0x87, 0x41, 0xb0, 0x95, 0xd3, 0x3d, 0x00,
++ 0x47, 0x55, 0x9e, 0xd2, 0x69, 0xea, 0xbf, 0xe9, 0x7a, 0x2d, 0x61, 0x45, },
++ { 0x03, 0xe0, 0x85, 0xec, 0x54, 0xb5, 0x16, 0x53, 0xa8, 0xc4, 0x71, 0xe9,
++ 0x6a, 0xe7, 0xcb, 0xc4, 0x15, 0x02, 0xfc, 0x34, 0xa4, 0xa4, 0x28, 0x13,
++ 0xd1, },
++ { 0xe3, 0x34, 0x4b, 0xe1, 0xd0, 0x4b, 0x55, 0x61, 0x8f, 0xc0, 0x24, 0x05,
++ 0xe6, 0xe0, 0x3d, 0x70, 0x24, 0x4d, 0xda, 0xb8, 0x91, 0x05, 0x29, 0x07,
++ 0x01, 0x3e, },
++ { 0x61, 0xff, 0x01, 0x72, 0xb1, 0x4d, 0xf6, 0xfe, 0xd1, 0xd1, 0x08, 0x74,
++ 0xe6, 0x91, 0x44, 0xeb, 0x61, 0xda, 0x40, 0xaf, 0xfc, 0x8c, 0x91, 0x6b,
++ 0xec, 0x13, 0xed, },
++ { 0xd4, 0x40, 0xd2, 0xa0, 0x7f, 0xc1, 0x58, 0x0c, 0x85, 0xa0, 0x86, 0xc7,
++ 0x86, 0xb9, 0x61, 0xc9, 0xea, 0x19, 0x86, 0x1f, 0xab, 0x07, 0xce, 0x37,
++ 0x72, 0x67, 0x09, 0xfc, },
++ { 0x9e, 0xf8, 0x18, 0x67, 0x93, 0x10, 0x9b, 0x39, 0x75, 0xe8, 0x8b, 0x38,
++ 0x82, 0x7d, 0xb8, 0xb7, 0xa5, 0xaf, 0xe6, 0x6a, 0x22, 0x5e, 0x1f, 0x9c,
++ 0x95, 0x29, 0x19, 0xf2, 0x4b, },
++ { 0xc8, 0x62, 0x25, 0xf5, 0x98, 0xc9, 0xea, 0xe5, 0x29, 0x3a, 0xd3, 0x22,
++ 0xeb, 0xeb, 0x07, 0x7c, 0x15, 0x07, 0xee, 0x15, 0x61, 0xbb, 0x05, 0x30,
++ 0x99, 0x7f, 0x11, 0xf6, 0x0a, 0x1d, },
++ { 0x68, 0x70, 0xf7, 0x90, 0xa1, 0x8b, 0x1f, 0x0f, 0xbb, 0xce, 0xd2, 0x0e,
++ 0x33, 0x1f, 0x7f, 0xa9, 0x78, 0xa8, 0xa6, 0x81, 0x66, 0xab, 0x8d, 0xcd,
++ 0x58, 0x55, 0x3a, 0x0b, 0x7a, 0xdb, 0xb5, },
++ { 0xdd, 0x35, 0xd2, 0xb4, 0xf6, 0xc7, 0xea, 0xab, 0x64, 0x24, 0x4e, 0xfe,
++ 0xe5, 0x3d, 0x4e, 0x95, 0x8b, 0x6d, 0x6c, 0xbc, 0xb0, 0xf8, 0x88, 0x61,
++ 0x09, 0xb7, 0x78, 0xa3, 0x31, 0xfe, 0xd9, 0x2f, },
++ { 0x0a, },
++ { 0x6e, 0xd4, },
++ { 0x64, 0xe9, 0xd1, },
++ { 0x30, 0xdd, 0x71, 0xef, },
++ { 0x11, 0xb5, 0x0c, 0x87, 0xc9, },
++ { 0x06, 0x1c, 0x6d, 0x04, 0x82, 0xd0, },
++ { 0x5c, 0x42, 0x0b, 0xee, 0xc5, 0x9c, 0xb2, },
++ { 0xe8, 0x29, 0xd6, 0xb4, 0x5d, 0xf7, 0x2b, 0x93, },
++ { 0x18, 0xca, 0x27, 0x72, 0x43, 0x39, 0x16, 0xbc, 0x6a, },
++ { 0x39, 0x8f, 0xfd, 0x64, 0xf5, 0x57, 0x23, 0xb0, 0x45, 0xf8, },
++ { 0xbb, 0x3a, 0x78, 0x6b, 0x02, 0x1d, 0x0b, 0x16, 0xe3, 0xb2, 0x9a, },
++ { 0xb8, 0xb4, 0x0b, 0xe5, 0xd4, 0x1d, 0x0d, 0x85, 0x49, 0x91, 0x35, 0xfa, },
++ { 0x6d, 0x48, 0x2a, 0x0c, 0x42, 0x08, 0xbd, 0xa9, 0x78, 0x6f, 0x18, 0xaf,
++ 0xe2, },
++ { 0x10, 0x45, 0xd4, 0x58, 0x88, 0xec, 0x4e, 0x1e, 0xf6, 0x14, 0x92, 0x64,
++ 0x7e, 0xb0, },
++ { 0x8b, 0x0b, 0x95, 0xee, 0x92, 0xc6, 0x3b, 0x91, 0xf1, 0x1e, 0xeb, 0x51,
++ 0x98, 0x0a, 0x8d, },
++ { 0xa3, 0x50, 0x4d, 0xa5, 0x1d, 0x03, 0x68, 0xe9, 0x57, 0x78, 0xd6, 0x04,
++ 0xf1, 0xc3, 0x94, 0xd8, },
++ { 0xb8, 0x66, 0x6e, 0xdd, 0x46, 0x15, 0xae, 0x3d, 0x83, 0x7e, 0xcf, 0xe7,
++ 0x2c, 0xe8, 0x8f, 0xc7, 0x34, },
++ { 0x2e, 0xc0, 0x1f, 0x29, 0xea, 0xf6, 0xb9, 0xe2, 0xc2, 0x93, 0xeb, 0x41,
++ 0x0d, 0xf0, 0x0a, 0x13, 0x0e, 0xa2, },
++ { 0x71, 0xb8, 0x33, 0xa9, 0x1b, 0xac, 0xf1, 0xb5, 0x42, 0x8f, 0x5e, 0x81,
++ 0x34, 0x43, 0xb7, 0xa4, 0x18, 0x5c, 0x47, },
++ { 0xda, 0x45, 0xb8, 0x2e, 0x82, 0x1e, 0xc0, 0x59, 0x77, 0x9d, 0xfa, 0xb4,
++ 0x1c, 0x5e, 0xa0, 0x2b, 0x33, 0x96, 0x5a, 0x58, },
++ { 0xe3, 0x09, 0x05, 0xa9, 0xeb, 0x48, 0x13, 0xad, 0x71, 0x88, 0x81, 0x9a,
++ 0x3e, 0x2c, 0xe1, 0x23, 0x99, 0x13, 0x35, 0x9f, 0xb5, },
++ { 0xb7, 0x86, 0x2d, 0x16, 0xe1, 0x04, 0x00, 0x47, 0x47, 0x61, 0x31, 0xfb,
++ 0x14, 0xac, 0xd8, 0xe9, 0xe3, 0x49, 0xbd, 0xf7, 0x9c, 0x3f, },
++ { 0x7f, 0xd9, 0x95, 0xa8, 0xa7, 0xa0, 0xcc, 0xba, 0xef, 0xb1, 0x0a, 0xa9,
++ 0x21, 0x62, 0x08, 0x0f, 0x1b, 0xff, 0x7b, 0x9d, 0xae, 0xb2, 0x95, },
++ { 0x85, 0x99, 0xea, 0x33, 0xe0, 0x56, 0xff, 0x13, 0xc6, 0x61, 0x8c, 0xf9,
++ 0x57, 0x05, 0x03, 0x11, 0xf9, 0xfb, 0x3a, 0xf7, 0xce, 0xbb, 0x52, 0x30, },
++ { 0xb2, 0x72, 0x9c, 0xf8, 0x77, 0x4e, 0x8f, 0x6b, 0x01, 0x6c, 0xff, 0x4e,
++ 0x4f, 0x02, 0xd2, 0xbc, 0xeb, 0x51, 0x28, 0x99, 0x50, 0xab, 0xc4, 0x42,
++ 0xe3, },
++ { 0x8b, 0x0a, 0xb5, 0x90, 0x8f, 0xf5, 0x7b, 0xdd, 0xba, 0x47, 0x37, 0xc9,
++ 0x2a, 0xd5, 0x4b, 0x25, 0x08, 0x8b, 0x02, 0x17, 0xa7, 0x9e, 0x6b, 0x6e,
++ 0xe3, 0x90, },
++ { 0x90, 0xdd, 0xf7, 0x75, 0xa7, 0xa3, 0x99, 0x5e, 0x5b, 0x7d, 0x75, 0xc3,
++ 0x39, 0x6b, 0xa0, 0xe2, 0x44, 0x53, 0xb1, 0x9e, 0xc8, 0xf1, 0x77, 0x10,
++ 0x58, 0x06, 0x9a, },
++ { 0x99, 0x52, 0xf0, 0x49, 0xa8, 0x8c, 0xec, 0xa6, 0x97, 0x32, 0x13, 0xb5,
++ 0xf7, 0xa3, 0x8e, 0xfb, 0x4b, 0x59, 0x31, 0x3d, 0x01, 0x59, 0x98, 0x5d,
++ 0x53, 0x03, 0x1a, 0x39, },
++ { 0x9f, 0xe0, 0xc2, 0xe5, 0x5d, 0x93, 0xd6, 0x9b, 0x47, 0x8f, 0x9b, 0xe0,
++ 0x26, 0x35, 0x84, 0x20, 0x1d, 0xc5, 0x53, 0x10, 0x0f, 0x22, 0xb9, 0xb5,
++ 0xd4, 0x36, 0xb1, 0xac, 0x73, },
++ { 0x30, 0x32, 0x20, 0x3b, 0x10, 0x28, 0xec, 0x1f, 0x4f, 0x9b, 0x47, 0x59,
++ 0xeb, 0x7b, 0xee, 0x45, 0xfb, 0x0c, 0x49, 0xd8, 0x3d, 0x69, 0xbd, 0x90,
++ 0x2c, 0xf0, 0x9e, 0x8d, 0xbf, 0xd5, },
++ { 0x2a, 0x37, 0x73, 0x7f, 0xf9, 0x96, 0x19, 0xaa, 0x25, 0xd8, 0x13, 0x28,
++ 0x01, 0x29, 0x89, 0xdf, 0x6e, 0x0c, 0x9b, 0x43, 0x44, 0x51, 0xe9, 0x75,
++ 0x26, 0x0c, 0xb7, 0x87, 0x66, 0x0b, 0x5f, },
++ { 0x23, 0xdf, 0x96, 0x68, 0x91, 0x86, 0xd0, 0x93, 0x55, 0x33, 0x24, 0xf6,
++ 0xba, 0x08, 0x75, 0x5b, 0x59, 0x11, 0x69, 0xb8, 0xb9, 0xe5, 0x2c, 0x77,
++ 0x02, 0xf6, 0x47, 0xee, 0x81, 0xdd, 0xb9, 0x06, },
++ { 0x9d, },
++ { 0x9d, 0x7d, },
++ { 0xfd, 0xc3, 0xda, },
++ { 0xe8, 0x82, 0xcd, 0x21, },
++ { 0xc3, 0x1d, 0x42, 0x4c, 0x74, },
++ { 0xe9, 0xda, 0xf1, 0xa2, 0xe5, 0x7c, },
++ { 0x52, 0xb8, 0x6f, 0x81, 0x5c, 0x3a, 0x4c, },
++ { 0x5b, 0x39, 0x26, 0xfc, 0x92, 0x5e, 0xe0, 0x49, },
++ { 0x59, 0xe4, 0x7c, 0x93, 0x1c, 0xf9, 0x28, 0x93, 0xde, },
++ { 0xde, 0xdf, 0xb2, 0x43, 0x61, 0x0b, 0x86, 0x16, 0x4c, 0x2e, },
++ { 0x14, 0x8f, 0x75, 0x51, 0xaf, 0xb9, 0xee, 0x51, 0x5a, 0xae, 0x23, },
++ { 0x43, 0x5f, 0x50, 0xd5, 0x70, 0xb0, 0x5b, 0x87, 0xf5, 0xd9, 0xb3, 0x6d, },
++ { 0x66, 0x0a, 0x64, 0x93, 0x79, 0x71, 0x94, 0x40, 0xb7, 0x68, 0x2d, 0xd3,
++ 0x63, },
++ { 0x15, 0x00, 0xc4, 0x0c, 0x7d, 0x1b, 0x10, 0xa9, 0x73, 0x1b, 0x90, 0x6f,
++ 0xe6, 0xa9, },
++ { 0x34, 0x75, 0xf3, 0x86, 0x8f, 0x56, 0xcf, 0x2a, 0x0a, 0xf2, 0x62, 0x0a,
++ 0xf6, 0x0e, 0x20, },
++ { 0xb1, 0xde, 0xc9, 0xf5, 0xdb, 0xf3, 0x2f, 0x4c, 0xd6, 0x41, 0x7d, 0x39,
++ 0x18, 0x3e, 0xc7, 0xc3, },
++ { 0xc5, 0x89, 0xb2, 0xf8, 0xb8, 0xc0, 0xa3, 0xb9, 0x3b, 0x10, 0x6d, 0x7c,
++ 0x92, 0xfc, 0x7f, 0x34, 0x41, },
++ { 0xc4, 0xd8, 0xef, 0xba, 0xef, 0xd2, 0xaa, 0xc5, 0x6c, 0x8e, 0x3e, 0xbb,
++ 0x12, 0xfc, 0x0f, 0x72, 0xbf, 0x0f, },
++ { 0xdd, 0x91, 0xd1, 0x15, 0x9e, 0x7d, 0xf8, 0xc1, 0xb9, 0x14, 0x63, 0x96,
++ 0xb5, 0xcb, 0x83, 0x1d, 0x35, 0x1c, 0xec, },
++ { 0xa9, 0xf8, 0x52, 0xc9, 0x67, 0x76, 0x2b, 0xad, 0xfb, 0xd8, 0x3a, 0xa6,
++ 0x74, 0x02, 0xae, 0xb8, 0x25, 0x2c, 0x63, 0x49, },
++ { 0x77, 0x1f, 0x66, 0x70, 0xfd, 0x50, 0x29, 0xaa, 0xeb, 0xdc, 0xee, 0xba,
++ 0x75, 0x98, 0xdc, 0x93, 0x12, 0x3f, 0xdc, 0x7c, 0x38, },
++ { 0xe2, 0xe1, 0x89, 0x5c, 0x37, 0x38, 0x6a, 0xa3, 0x40, 0xac, 0x3f, 0xb0,
++ 0xca, 0xfc, 0xa7, 0xf3, 0xea, 0xf9, 0x0f, 0x5d, 0x8e, 0x39, },
++ { 0x0f, 0x67, 0xc8, 0x38, 0x01, 0xb1, 0xb7, 0xb8, 0xa2, 0xe7, 0x0a, 0x6d,
++ 0xd2, 0x63, 0x69, 0x9e, 0xcc, 0xf0, 0xf2, 0xbe, 0x9b, 0x98, 0xdd, },
++ { 0x13, 0xe1, 0x36, 0x30, 0xfe, 0xc6, 0x01, 0x8a, 0xa1, 0x63, 0x96, 0x59,
++ 0xc2, 0xa9, 0x68, 0x3f, 0x58, 0xd4, 0x19, 0x0c, 0x40, 0xf3, 0xde, 0x02, },
++ { 0xa3, 0x9e, 0xce, 0xda, 0x42, 0xee, 0x8c, 0x6c, 0x5a, 0x7d, 0xdc, 0x89,
++ 0x02, 0x77, 0xdd, 0xe7, 0x95, 0xbb, 0xff, 0x0d, 0xa4, 0xb5, 0x38, 0x1e,
++ 0xaf, },
++ { 0x9a, 0xf6, 0xb5, 0x9a, 0x4f, 0xa9, 0x4f, 0x2c, 0x35, 0x3c, 0x24, 0xdc,
++ 0x97, 0x6f, 0xd9, 0xa1, 0x7d, 0x1a, 0x85, 0x0b, 0xf5, 0xda, 0x2e, 0xe7,
++ 0xb1, 0x1d, },
++ { 0x84, 0x1e, 0x8e, 0x3d, 0x45, 0xa5, 0xf2, 0x27, 0xf3, 0x31, 0xfe, 0xb9,
++ 0xfb, 0xc5, 0x45, 0x99, 0x99, 0xdd, 0x93, 0x43, 0x02, 0xee, 0x58, 0xaf,
++ 0xee, 0x6a, 0xbe, },
++ { 0x07, 0x2f, 0xc0, 0xa2, 0x04, 0xc4, 0xab, 0x7c, 0x26, 0xbb, 0xa8, 0xd8,
++ 0xe3, 0x1c, 0x75, 0x15, 0x64, 0x5d, 0x02, 0x6a, 0xf0, 0x86, 0xe9, 0xcd,
++ 0x5c, 0xef, 0xa3, 0x25, },
++ { 0x2f, 0x3b, 0x1f, 0xb5, 0x91, 0x8f, 0x86, 0xe0, 0xdc, 0x31, 0x48, 0xb6,
++ 0xa1, 0x8c, 0xfd, 0x75, 0xbb, 0x7d, 0x3d, 0xc1, 0xf0, 0x10, 0x9a, 0xd8,
++ 0x4b, 0x0e, 0xe3, 0x94, 0x9f, },
++ { 0x29, 0xbb, 0x8f, 0x6c, 0xd1, 0xf2, 0xb6, 0xaf, 0xe5, 0xe3, 0x2d, 0xdc,
++ 0x6f, 0xa4, 0x53, 0x88, 0xd8, 0xcf, 0x4d, 0x45, 0x42, 0x62, 0xdb, 0xdf,
++ 0xf8, 0x45, 0xc2, 0x13, 0xec, 0x35, },
++ { 0x06, 0x3c, 0xe3, 0x2c, 0x15, 0xc6, 0x43, 0x03, 0x81, 0xfb, 0x08, 0x76,
++ 0x33, 0xcb, 0x02, 0xc1, 0xba, 0x33, 0xe5, 0xe0, 0xd1, 0x92, 0xa8, 0x46,
++ 0x28, 0x3f, 0x3e, 0x9d, 0x2c, 0x44, 0x54, },
++ { 0xea, 0xbb, 0x96, 0xf8, 0xd1, 0x8b, 0x04, 0x11, 0x40, 0x78, 0x42, 0x02,
++ 0x19, 0xd1, 0xbc, 0x65, 0x92, 0xd3, 0xc3, 0xd6, 0xd9, 0x19, 0xe7, 0xc3,
++ 0x40, 0x97, 0xbd, 0xd4, 0xed, 0xfa, 0x5e, 0x28, },
++ { 0x02, },
++ { 0x52, 0xa8, },
++ { 0x38, 0x25, 0x0d, },
++ { 0xe3, 0x04, 0xd4, 0x92, },
++ { 0x97, 0xdb, 0xf7, 0x81, 0xca, },
++ { 0x8a, 0x56, 0x9d, 0x62, 0x56, 0xcc, },
++ { 0xa1, 0x8e, 0x3c, 0x72, 0x8f, 0x63, 0x03, },
++ { 0xf7, 0xf3, 0x39, 0x09, 0x0a, 0xa1, 0xbb, 0x23, },
++ { 0x6b, 0x03, 0xc0, 0xe9, 0xd9, 0x83, 0x05, 0x22, 0x01, },
++ { 0x1b, 0x4b, 0xf5, 0xd6, 0x4f, 0x05, 0x75, 0x91, 0x4c, 0x7f, },
++ { 0x4c, 0x8c, 0x25, 0x20, 0x21, 0xcb, 0xc2, 0x4b, 0x3a, 0x5b, 0x8d, },
++ { 0x56, 0xe2, 0x77, 0xa0, 0xb6, 0x9f, 0x81, 0xec, 0x83, 0x75, 0xc4, 0xf9, },
++ { 0x71, 0x70, 0x0f, 0xad, 0x4d, 0x35, 0x81, 0x9d, 0x88, 0x69, 0xf9, 0xaa,
++ 0xd3, },
++ { 0x50, 0x6e, 0x86, 0x6e, 0x43, 0xc0, 0xc2, 0x44, 0xc2, 0xe2, 0xa0, 0x1c,
++ 0xb7, 0x9a, },
++ { 0xe4, 0x7e, 0x72, 0xc6, 0x12, 0x8e, 0x7c, 0xfc, 0xbd, 0xe2, 0x08, 0x31,
++ 0x3d, 0x47, 0x3d, },
++ { 0x08, 0x97, 0x5b, 0x80, 0xae, 0xc4, 0x1d, 0x50, 0x77, 0xdf, 0x1f, 0xd0,
++ 0x24, 0xf0, 0x17, 0xc0, },
++ { 0x01, 0xb6, 0x29, 0xf4, 0xaf, 0x78, 0x5f, 0xb6, 0x91, 0xdd, 0x76, 0x76,
++ 0xd2, 0xfd, 0x0c, 0x47, 0x40, },
++ { 0xa1, 0xd8, 0x09, 0x97, 0x7a, 0xa6, 0xc8, 0x94, 0xf6, 0x91, 0x7b, 0xae,
++ 0x2b, 0x9f, 0x0d, 0x83, 0x48, 0xf7, },
++ { 0x12, 0xd5, 0x53, 0x7d, 0x9a, 0xb0, 0xbe, 0xd9, 0xed, 0xe9, 0x9e, 0xee,
++ 0x61, 0x5b, 0x42, 0xf2, 0xc0, 0x73, 0xc0, },
++ { 0xd5, 0x77, 0xd6, 0x5c, 0x6e, 0xa5, 0x69, 0x2b, 0x3b, 0x8c, 0xd6, 0x7d,
++ 0x1d, 0xbe, 0x2c, 0xa1, 0x02, 0x21, 0xcd, 0x29, },
++ { 0xa4, 0x98, 0x80, 0xca, 0x22, 0xcf, 0x6a, 0xab, 0x5e, 0x40, 0x0d, 0x61,
++ 0x08, 0x21, 0xef, 0xc0, 0x6c, 0x52, 0xb4, 0xb0, 0x53, },
++ { 0xbf, 0xaf, 0x8f, 0x3b, 0x7a, 0x97, 0x33, 0xe5, 0xca, 0x07, 0x37, 0xfd,
++ 0x15, 0xdf, 0xce, 0x26, 0x2a, 0xb1, 0xa7, 0x0b, 0xb3, 0xac, },
++ { 0x16, 0x22, 0xe1, 0xbc, 0x99, 0x4e, 0x01, 0xf0, 0xfa, 0xff, 0x8f, 0xa5,
++ 0x0c, 0x61, 0xb0, 0xad, 0xcc, 0xb1, 0xe1, 0x21, 0x46, 0xfa, 0x2e, },
++ { 0x11, 0x5b, 0x0b, 0x2b, 0xe6, 0x14, 0xc1, 0xd5, 0x4d, 0x71, 0x5e, 0x17,
++ 0xea, 0x23, 0xdd, 0x6c, 0xbd, 0x1d, 0xbe, 0x12, 0x1b, 0xee, 0x4c, 0x1a, },
++ { 0x40, 0x88, 0x22, 0xf3, 0x20, 0x6c, 0xed, 0xe1, 0x36, 0x34, 0x62, 0x2c,
++ 0x98, 0x83, 0x52, 0xe2, 0x25, 0xee, 0xe9, 0xf5, 0xe1, 0x17, 0xf0, 0x5c,
++ 0xae, },
++ { 0xc3, 0x76, 0x37, 0xde, 0x95, 0x8c, 0xca, 0x2b, 0x0c, 0x23, 0xe7, 0xb5,
++ 0x38, 0x70, 0x61, 0xcc, 0xff, 0xd3, 0x95, 0x7b, 0xf3, 0xff, 0x1f, 0x9d,
++ 0x59, 0x00, },
++ { 0x0c, 0x19, 0x52, 0x05, 0x22, 0x53, 0xcb, 0x48, 0xd7, 0x10, 0x0e, 0x7e,
++ 0x14, 0x69, 0xb5, 0xa2, 0x92, 0x43, 0xa3, 0x9e, 0x4b, 0x8f, 0x51, 0x2c,
++ 0x5a, 0x2c, 0x3b, },
++ { 0xe1, 0x9d, 0x70, 0x70, 0x28, 0xec, 0x86, 0x40, 0x55, 0x33, 0x56, 0xda,
++ 0x88, 0xca, 0xee, 0xc8, 0x6a, 0x20, 0xb1, 0xe5, 0x3d, 0x57, 0xf8, 0x3c,
++ 0x10, 0x07, 0x2a, 0xc4, },
++ { 0x0b, 0xae, 0xf1, 0xc4, 0x79, 0xee, 0x1b, 0x3d, 0x27, 0x35, 0x8d, 0x14,
++ 0xd6, 0xae, 0x4e, 0x3c, 0xe9, 0x53, 0x50, 0xb5, 0xcc, 0x0c, 0xf7, 0xdf,
++ 0xee, 0xa1, 0x74, 0xd6, 0x71, },
++ { 0xe6, 0xa4, 0xf4, 0x99, 0x98, 0xb9, 0x80, 0xea, 0x96, 0x7f, 0x4f, 0x33,
++ 0xcf, 0x74, 0x25, 0x6f, 0x17, 0x6c, 0xbf, 0xf5, 0x5c, 0x38, 0xd0, 0xff,
++ 0x96, 0xcb, 0x13, 0xf9, 0xdf, 0xfd, },
++ { 0xbe, 0x92, 0xeb, 0xba, 0x44, 0x2c, 0x24, 0x74, 0xd4, 0x03, 0x27, 0x3c,
++ 0x5d, 0x5b, 0x03, 0x30, 0x87, 0x63, 0x69, 0xe0, 0xb8, 0x94, 0xf4, 0x44,
++ 0x7e, 0xad, 0xcd, 0x20, 0x12, 0x16, 0x79, },
++ { 0x30, 0xf1, 0xc4, 0x8e, 0x05, 0x90, 0x2a, 0x97, 0x63, 0x94, 0x46, 0xff,
++ 0xce, 0xd8, 0x67, 0xa7, 0xac, 0x33, 0x8c, 0x95, 0xb7, 0xcd, 0xa3, 0x23,
++ 0x98, 0x9d, 0x76, 0x6c, 0x9d, 0xa8, 0xd6, 0x8a, },
++ { 0xbe, },
++ { 0x17, 0x6c, },
++ { 0x1a, 0x42, 0x4f, },
++ { 0xba, 0xaf, 0xb7, 0x65, },
++ { 0xc2, 0x63, 0x43, 0x6a, 0xea, },
++ { 0xe4, 0x4d, 0xad, 0xf2, 0x0b, 0x02, },
++ { 0x04, 0xc7, 0xc4, 0x7f, 0xa9, 0x2b, 0xce, },
++ { 0x66, 0xf6, 0x67, 0xcb, 0x03, 0x53, 0xc8, 0xf1, },
++ { 0x56, 0xa3, 0x60, 0x78, 0xc9, 0x5f, 0x70, 0x1b, 0x5e, },
++ { 0x99, 0xff, 0x81, 0x7c, 0x13, 0x3c, 0x29, 0x79, 0x4b, 0x65, },
++ { 0x51, 0x10, 0x50, 0x93, 0x01, 0x93, 0xb7, 0x01, 0xc9, 0x18, 0xb7, },
++ { 0x8e, 0x3c, 0x42, 0x1e, 0x5e, 0x7d, 0xc1, 0x50, 0x70, 0x1f, 0x00, 0x98, },
++ { 0x5f, 0xd9, 0x9b, 0xc8, 0xd7, 0xb2, 0x72, 0x62, 0x1a, 0x1e, 0xba, 0x92,
++ 0xe9, },
++ { 0x70, 0x2b, 0xba, 0xfe, 0xad, 0x5d, 0x96, 0x3f, 0x27, 0xc2, 0x41, 0x6d,
++ 0xc4, 0xb3, },
++ { 0xae, 0xe0, 0xd5, 0xd4, 0xc7, 0xae, 0x15, 0x5e, 0xdc, 0xdd, 0x33, 0x60,
++ 0xd7, 0xd3, 0x5e, },
++ { 0x79, 0x8e, 0xbc, 0x9e, 0x20, 0xb9, 0x19, 0x4b, 0x63, 0x80, 0xf3, 0x16,
++ 0xaf, 0x39, 0xbd, 0x92, },
++ { 0xc2, 0x0e, 0x85, 0xa0, 0x0b, 0x9a, 0xb0, 0xec, 0xde, 0x38, 0xd3, 0x10,
++ 0xd9, 0xa7, 0x66, 0x27, 0xcf, },
++ { 0x0e, 0x3b, 0x75, 0x80, 0x67, 0x14, 0x0c, 0x02, 0x90, 0xd6, 0xb3, 0x02,
++ 0x81, 0xf6, 0xa6, 0x87, 0xce, 0x58, },
++ { 0x79, 0xb5, 0xe9, 0x5d, 0x52, 0x4d, 0xf7, 0x59, 0xf4, 0x2e, 0x27, 0xdd,
++ 0xb3, 0xed, 0x57, 0x5b, 0x82, 0xea, 0x6f, },
++ { 0xa2, 0x97, 0xf5, 0x80, 0x02, 0x3d, 0xde, 0xa3, 0xf9, 0xf6, 0xab, 0xe3,
++ 0x57, 0x63, 0x7b, 0x9b, 0x10, 0x42, 0x6f, 0xf2, },
++ { 0x12, 0x7a, 0xfc, 0xb7, 0x67, 0x06, 0x0c, 0x78, 0x1a, 0xfe, 0x88, 0x4f,
++ 0xc6, 0xac, 0x52, 0x96, 0x64, 0x28, 0x97, 0x84, 0x06, },
++ { 0xc5, 0x04, 0x44, 0x6b, 0xb2, 0xa5, 0xa4, 0x66, 0xe1, 0x76, 0xa2, 0x51,
++ 0xf9, 0x59, 0x69, 0x97, 0x56, 0x0b, 0xbf, 0x50, 0xb3, 0x34, },
++ { 0x21, 0x32, 0x6b, 0x42, 0xb5, 0xed, 0x71, 0x8d, 0xf7, 0x5a, 0x35, 0xe3,
++ 0x90, 0xe2, 0xee, 0xaa, 0x89, 0xf6, 0xc9, 0x9c, 0x4d, 0x73, 0xf4, },
++ { 0x4c, 0xa6, 0x09, 0xf4, 0x48, 0xe7, 0x46, 0xbc, 0x49, 0xfc, 0xe5, 0xda,
++ 0xd1, 0x87, 0x13, 0x17, 0x4c, 0x59, 0x71, 0x26, 0x5b, 0x2c, 0x42, 0xb7, },
++ { 0x13, 0x63, 0xf3, 0x40, 0x02, 0xe5, 0xa3, 0x3a, 0x5e, 0x8e, 0xf8, 0xb6,
++ 0x8a, 0x49, 0x60, 0x76, 0x34, 0x72, 0x94, 0x73, 0xf6, 0xd9, 0x21, 0x6a,
++ 0x26, },
++ { 0xdf, 0x75, 0x16, 0x10, 0x1b, 0x5e, 0x81, 0xc3, 0xc8, 0xde, 0x34, 0x24,
++ 0xb0, 0x98, 0xeb, 0x1b, 0x8f, 0xa1, 0x9b, 0x05, 0xee, 0xa5, 0xe9, 0x35,
++ 0xf4, 0x1d, },
++ { 0xcd, 0x21, 0x93, 0x6e, 0x5b, 0xa0, 0x26, 0x2b, 0x21, 0x0e, 0xa0, 0xb9,
++ 0x1c, 0xb5, 0xbb, 0xb8, 0xf8, 0x1e, 0xff, 0x5c, 0xa8, 0xf9, 0x39, 0x46,
++ 0x4e, 0x29, 0x26, },
++ { 0x73, 0x7f, 0x0e, 0x3b, 0x0b, 0x5c, 0xf9, 0x60, 0xaa, 0x88, 0xa1, 0x09,
++ 0xb1, 0x5d, 0x38, 0x7b, 0x86, 0x8f, 0x13, 0x7a, 0x8d, 0x72, 0x7a, 0x98,
++ 0x1a, 0x5b, 0xff, 0xc9, },
++ { 0xd3, 0x3c, 0x61, 0x71, 0x44, 0x7e, 0x31, 0x74, 0x98, 0x9d, 0x9a, 0xd2,
++ 0x27, 0xf3, 0x46, 0x43, 0x42, 0x51, 0xd0, 0x5f, 0xe9, 0x1c, 0x5c, 0x69,
++ 0xbf, 0xf6, 0xbe, 0x3c, 0x40, },
++ { 0x31, 0x99, 0x31, 0x9f, 0xaa, 0x43, 0x2e, 0x77, 0x3e, 0x74, 0x26, 0x31,
++ 0x5e, 0x61, 0xf1, 0x87, 0xe2, 0xeb, 0x9b, 0xcd, 0xd0, 0x3a, 0xee, 0x20,
++ 0x7e, 0x10, 0x0a, 0x0b, 0x7e, 0xfa, },
++ { 0xa4, 0x27, 0x80, 0x67, 0x81, 0x2a, 0xa7, 0x62, 0xf7, 0x6e, 0xda, 0xd4,
++ 0x5c, 0x39, 0x74, 0xad, 0x7e, 0xbe, 0xad, 0xa5, 0x84, 0x7f, 0xa9, 0x30,
++ 0x5d, 0xdb, 0xe2, 0x05, 0x43, 0xf7, 0x1b, },
++ { 0x0b, 0x37, 0xd8, 0x02, 0xe1, 0x83, 0xd6, 0x80, 0xf2, 0x35, 0xc2, 0xb0,
++ 0x37, 0xef, 0xef, 0x5e, 0x43, 0x93, 0xf0, 0x49, 0x45, 0x0a, 0xef, 0xb5,
++ 0x76, 0x70, 0x12, 0x44, 0xc4, 0xdb, 0xf5, 0x7a, },
++ { 0x1f, },
++ { 0x82, 0x60, },
++ { 0xcc, 0xe3, 0x08, },
++ { 0x56, 0x17, 0xe4, 0x59, },
++ { 0xe2, 0xd7, 0x9e, 0xc4, 0x4c, },
++ { 0xb2, 0xad, 0xd3, 0x78, 0x58, 0x5a, },
++ { 0xce, 0x43, 0xb4, 0x02, 0x96, 0xab, 0x3c, },
++ { 0xe6, 0x05, 0x1a, 0x73, 0x22, 0x32, 0xbb, 0x77, },
++ { 0x23, 0xe7, 0xda, 0xfe, 0x2c, 0xef, 0x8c, 0x22, 0xec, },
++ { 0xe9, 0x8e, 0x55, 0x38, 0xd1, 0xd7, 0x35, 0x23, 0x98, 0xc7, },
++ { 0xb5, 0x81, 0x1a, 0xe5, 0xb5, 0xa5, 0xd9, 0x4d, 0xca, 0x41, 0xe7, },
++ { 0x41, 0x16, 0x16, 0x95, 0x8d, 0x9e, 0x0c, 0xea, 0x8c, 0x71, 0x9a, 0xc1, },
++ { 0x7c, 0x33, 0xc0, 0xa4, 0x00, 0x62, 0xea, 0x60, 0x67, 0xe4, 0x20, 0xbc,
++ 0x5b, },
++ { 0xdb, 0xb1, 0xdc, 0xfd, 0x08, 0xc0, 0xde, 0x82, 0xd1, 0xde, 0x38, 0xc0,
++ 0x90, 0x48, },
++ { 0x37, 0x18, 0x2e, 0x0d, 0x61, 0xaa, 0x61, 0xd7, 0x86, 0x20, 0x16, 0x60,
++ 0x04, 0xd9, 0xd5, },
++ { 0xb0, 0xcf, 0x2c, 0x4c, 0x5e, 0x5b, 0x4f, 0x2a, 0x23, 0x25, 0x58, 0x47,
++ 0xe5, 0x31, 0x06, 0x70, },
++ { 0x91, 0xa0, 0xa3, 0x86, 0x4e, 0xe0, 0x72, 0x38, 0x06, 0x67, 0x59, 0x5c,
++ 0x70, 0x25, 0xdb, 0x33, 0x27, },
++ { 0x44, 0x58, 0x66, 0xb8, 0x58, 0xc7, 0x13, 0xed, 0x4c, 0xc0, 0xf4, 0x9a,
++ 0x1e, 0x67, 0x75, 0x33, 0xb6, 0xb8, },
++ { 0x7f, 0x98, 0x4a, 0x8e, 0x50, 0xa2, 0x5c, 0xcd, 0x59, 0xde, 0x72, 0xb3,
++ 0x9d, 0xc3, 0x09, 0x8a, 0xab, 0x56, 0xf1, },
++ { 0x80, 0x96, 0x49, 0x1a, 0x59, 0xa2, 0xc5, 0xd5, 0xa7, 0x20, 0x8a, 0xb7,
++ 0x27, 0x62, 0x84, 0x43, 0xc6, 0xe1, 0x1b, 0x5d, },
++ { 0x6b, 0xb7, 0x2b, 0x26, 0x62, 0x14, 0x70, 0x19, 0x3d, 0x4d, 0xac, 0xac,
++ 0x63, 0x58, 0x5e, 0x94, 0xb5, 0xb7, 0xe8, 0xe8, 0xa2, },
++ { 0x20, 0xa8, 0xc0, 0xfd, 0x63, 0x3d, 0x6e, 0x98, 0xcf, 0x0c, 0x49, 0x98,
++ 0xe4, 0x5a, 0xfe, 0x8c, 0xaa, 0x70, 0x82, 0x1c, 0x7b, 0x74, },
++ { 0xc8, 0xe8, 0xdd, 0xdf, 0x69, 0x30, 0x01, 0xc2, 0x0f, 0x7e, 0x2f, 0x11,
++ 0xcc, 0x3e, 0x17, 0xa5, 0x69, 0x40, 0x3f, 0x0e, 0x79, 0x7f, 0xcf, },
++ { 0xdb, 0x61, 0xc0, 0xe2, 0x2e, 0x49, 0x07, 0x31, 0x1d, 0x91, 0x42, 0x8a,
++ 0xfc, 0x5e, 0xd3, 0xf8, 0x56, 0x1f, 0x2b, 0x73, 0xfd, 0x9f, 0xb2, 0x8e, },
++ { 0x0c, 0x89, 0x55, 0x0c, 0x1f, 0x59, 0x2c, 0x9d, 0x1b, 0x29, 0x1d, 0x41,
++ 0x1d, 0xe6, 0x47, 0x8f, 0x8c, 0x2b, 0xea, 0x8f, 0xf0, 0xff, 0x21, 0x70,
++ 0x88, },
++ { 0x12, 0x18, 0x95, 0xa6, 0x59, 0xb1, 0x31, 0x24, 0x45, 0x67, 0x55, 0xa4,
++ 0x1a, 0x2d, 0x48, 0x67, 0x1b, 0x43, 0x88, 0x2d, 0x8e, 0xa0, 0x70, 0xb3,
++ 0xc6, 0xbb, },
++ { 0xe7, 0xb1, 0x1d, 0xb2, 0x76, 0x4d, 0x68, 0x68, 0x68, 0x23, 0x02, 0x55,
++ 0x3a, 0xe2, 0xe5, 0xd5, 0x4b, 0x43, 0xf9, 0x34, 0x77, 0x5c, 0xa1, 0xf5,
++ 0x55, 0xfd, 0x4f, },
++ { 0x8c, 0x87, 0x5a, 0x08, 0x3a, 0x73, 0xad, 0x61, 0xe1, 0xe7, 0x99, 0x7e,
++ 0xf0, 0x5d, 0xe9, 0x5d, 0x16, 0x43, 0x80, 0x2f, 0xd0, 0x66, 0x34, 0xe2,
++ 0x42, 0x64, 0x3b, 0x1a, },
++ { 0x39, 0xc1, 0x99, 0xcf, 0x22, 0xbf, 0x16, 0x8f, 0x9f, 0x80, 0x7f, 0x95,
++ 0x0a, 0x05, 0x67, 0x27, 0xe7, 0x15, 0xdf, 0x9d, 0xb2, 0xfe, 0x1c, 0xb5,
++ 0x1d, 0x60, 0x8f, 0x8a, 0x1d, },
++ { 0x9b, 0x6e, 0x08, 0x09, 0x06, 0x73, 0xab, 0x68, 0x02, 0x62, 0x1a, 0xe4,
++ 0xd4, 0xdf, 0xc7, 0x02, 0x4c, 0x6a, 0x5f, 0xfd, 0x23, 0xac, 0xae, 0x6d,
++ 0x43, 0xa4, 0x7a, 0x50, 0x60, 0x3c, },
++ { 0x1d, 0xb4, 0xc6, 0xe1, 0xb1, 0x4b, 0xe3, 0xf2, 0xe2, 0x1a, 0x73, 0x1b,
++ 0xa0, 0x92, 0xa7, 0xf5, 0xff, 0x8f, 0x8b, 0x5d, 0xdf, 0xa8, 0x04, 0xb3,
++ 0xb0, 0xf7, 0xcc, 0x12, 0xfa, 0x35, 0x46, },
++ { 0x49, 0x45, 0x97, 0x11, 0x0f, 0x1c, 0x60, 0x8e, 0xe8, 0x47, 0x30, 0xcf,
++ 0x60, 0xa8, 0x71, 0xc5, 0x1b, 0xe9, 0x39, 0x4d, 0x49, 0xb6, 0x12, 0x1f,
++ 0x24, 0xab, 0x37, 0xff, 0x83, 0xc2, 0xe1, 0x3a, },
++ { 0x60, },
++ { 0x24, 0x26, },
++ { 0x47, 0xeb, 0xc9, },
++ { 0x4a, 0xd0, 0xbc, 0xf0, },
++ { 0x8e, 0x2b, 0xc9, 0x85, 0x3c, },
++ { 0xa2, 0x07, 0x15, 0xb8, 0x12, 0x74, },
++ { 0x0f, 0xdb, 0x5b, 0x33, 0x69, 0xfe, 0x4b, },
++ { 0xa2, 0x86, 0x54, 0xf4, 0xfd, 0xb2, 0xd4, 0xe6, },
++ { 0xbb, 0x84, 0x78, 0x49, 0x27, 0x8e, 0x61, 0xda, 0x60, },
++ { 0x04, 0xc3, 0xcd, 0xaa, 0x8f, 0xa7, 0x03, 0xc9, 0xf9, 0xb6, },
++ { 0xf8, 0x27, 0x1d, 0x61, 0xdc, 0x21, 0x42, 0xdd, 0xad, 0x92, 0x40, },
++ { 0x12, 0x87, 0xdf, 0xc2, 0x41, 0x45, 0x5a, 0x36, 0x48, 0x5b, 0x51, 0x2b, },
++ { 0xbb, 0x37, 0x5d, 0x1f, 0xf1, 0x68, 0x7a, 0xc4, 0xa5, 0xd2, 0xa4, 0x91,
++ 0x8d, },
++ { 0x5b, 0x27, 0xd1, 0x04, 0x54, 0x52, 0x9f, 0xa3, 0x47, 0x86, 0x33, 0x33,
++ 0xbf, 0xa0, },
++ { 0xcf, 0x04, 0xea, 0xf8, 0x03, 0x2a, 0x43, 0xff, 0xa6, 0x68, 0x21, 0x4c,
++ 0xd5, 0x4b, 0xed, },
++ { 0xaf, 0xb8, 0xbc, 0x63, 0x0f, 0x18, 0x4d, 0xe2, 0x7a, 0xdd, 0x46, 0x44,
++ 0xc8, 0x24, 0x0a, 0xb7, },
++ { 0x3e, 0xdc, 0x36, 0xe4, 0x89, 0xb1, 0xfa, 0xc6, 0x40, 0x93, 0x2e, 0x75,
++ 0xb2, 0x15, 0xd1, 0xb1, 0x10, },
++ { 0x6c, 0xd8, 0x20, 0x3b, 0x82, 0x79, 0xf9, 0xc8, 0xbc, 0x9d, 0xe0, 0x35,
++ 0xbe, 0x1b, 0x49, 0x1a, 0xbc, 0x3a, },
++ { 0x78, 0x65, 0x2c, 0xbe, 0x35, 0x67, 0xdc, 0x78, 0xd4, 0x41, 0xf6, 0xc9,
++ 0xde, 0xde, 0x1f, 0x18, 0x13, 0x31, 0x11, },
++ { 0x8a, 0x7f, 0xb1, 0x33, 0x8f, 0x0c, 0x3c, 0x0a, 0x06, 0x61, 0xf0, 0x47,
++ 0x29, 0x1b, 0x29, 0xbc, 0x1c, 0x47, 0xef, 0x7a, },
++ { 0x65, 0x91, 0xf1, 0xe6, 0xb3, 0x96, 0xd3, 0x8c, 0xc2, 0x4a, 0x59, 0x35,
++ 0x72, 0x8e, 0x0b, 0x9a, 0x87, 0xca, 0x34, 0x7b, 0x63, },
++ { 0x5f, 0x08, 0x87, 0x80, 0x56, 0x25, 0x89, 0x77, 0x61, 0x8c, 0x64, 0xa1,
++ 0x59, 0x6d, 0x59, 0x62, 0xe8, 0x4a, 0xc8, 0x58, 0x99, 0xd1, },
++ { 0x23, 0x87, 0x1d, 0xed, 0x6f, 0xf2, 0x91, 0x90, 0xe2, 0xfe, 0x43, 0x21,
++ 0xaf, 0x97, 0xc6, 0xbc, 0xd7, 0x15, 0xc7, 0x2d, 0x08, 0x77, 0x91, },
++ { 0x90, 0x47, 0x9a, 0x9e, 0x3a, 0xdf, 0xf3, 0xc9, 0x4c, 0x1e, 0xa7, 0xd4,
++ 0x6a, 0x32, 0x90, 0xfe, 0xb7, 0xb6, 0x7b, 0xfa, 0x96, 0x61, 0xfb, 0xa4, },
++ { 0xb1, 0x67, 0x60, 0x45, 0xb0, 0x96, 0xc5, 0x15, 0x9f, 0x4d, 0x26, 0xd7,
++ 0x9d, 0xf1, 0xf5, 0x6d, 0x21, 0x00, 0x94, 0x31, 0x64, 0x94, 0xd3, 0xa7,
++ 0xd3, },
++ { 0x02, 0x3e, 0xaf, 0xf3, 0x79, 0x73, 0xa5, 0xf5, 0xcc, 0x7a, 0x7f, 0xfb,
++ 0x79, 0x2b, 0x85, 0x8c, 0x88, 0x72, 0x06, 0xbe, 0xfe, 0xaf, 0xc1, 0x16,
++ 0xa6, 0xd6, },
++ { 0x2a, 0xb0, 0x1a, 0xe5, 0xaa, 0x6e, 0xb3, 0xae, 0x53, 0x85, 0x33, 0x80,
++ 0x75, 0xae, 0x30, 0xe6, 0xb8, 0x72, 0x42, 0xf6, 0x25, 0x4f, 0x38, 0x88,
++ 0x55, 0xd1, 0xa9, },
++ { 0x90, 0xd8, 0x0c, 0xc0, 0x93, 0x4b, 0x4f, 0x9e, 0x65, 0x6c, 0xa1, 0x54,
++ 0xa6, 0xf6, 0x6e, 0xca, 0xd2, 0xbb, 0x7e, 0x6a, 0x1c, 0xd3, 0xce, 0x46,
++ 0xef, 0xb0, 0x00, 0x8d, },
++ { 0xed, 0x9c, 0x49, 0xcd, 0xc2, 0xde, 0x38, 0x0e, 0xe9, 0x98, 0x6c, 0xc8,
++ 0x90, 0x9e, 0x3c, 0xd4, 0xd3, 0xeb, 0x88, 0x32, 0xc7, 0x28, 0xe3, 0x94,
++ 0x1c, 0x9f, 0x8b, 0xf3, 0xcb, },
++ { 0xac, 0xe7, 0x92, 0x16, 0xb4, 0x14, 0xa0, 0xe4, 0x04, 0x79, 0xa2, 0xf4,
++ 0x31, 0xe6, 0x0c, 0x26, 0xdc, 0xbf, 0x2f, 0x69, 0x1b, 0x55, 0x94, 0x67,
++ 0xda, 0x0c, 0xd7, 0x32, 0x1f, 0xef, },
++ { 0x68, 0x63, 0x85, 0x57, 0x95, 0x9e, 0x42, 0x27, 0x41, 0x43, 0x42, 0x02,
++ 0xa5, 0x78, 0xa7, 0xc6, 0x43, 0xc1, 0x6a, 0xba, 0x70, 0x80, 0xcd, 0x04,
++ 0xb6, 0x78, 0x76, 0x29, 0xf3, 0xe8, 0xa0, },
++ { 0xe6, 0xac, 0x8d, 0x9d, 0xf0, 0xc0, 0xf7, 0xf7, 0xe3, 0x3e, 0x4e, 0x28,
++ 0x0f, 0x59, 0xb2, 0x67, 0x9e, 0x84, 0x34, 0x42, 0x96, 0x30, 0x2b, 0xca,
++ 0x49, 0xb6, 0xc5, 0x9a, 0x84, 0x59, 0xa7, 0x81, },
++ { 0x7e, },
++ { 0x1e, 0x21, },
++ { 0x26, 0xd3, 0xdd, },
++ { 0x2c, 0xd4, 0xb3, 0x3d, },
++ { 0x86, 0x7b, 0x76, 0x3c, 0xf0, },
++ { 0x12, 0xc3, 0x70, 0x1d, 0x55, 0x18, },
++ { 0x96, 0xc2, 0xbd, 0x61, 0x55, 0xf4, 0x24, },
++ { 0x20, 0x51, 0xf7, 0x86, 0x58, 0x8f, 0x07, 0x2a, },
++ { 0x93, 0x15, 0xa8, 0x1d, 0xda, 0x97, 0xee, 0x0e, 0x6c, },
++ { 0x39, 0x93, 0xdf, 0xd5, 0x0e, 0xca, 0xdc, 0x7a, 0x92, 0xce, },
++ { 0x60, 0xd5, 0xfd, 0xf5, 0x1b, 0x26, 0x82, 0x26, 0x73, 0x02, 0xbc, },
++ { 0x98, 0xf2, 0x34, 0xe1, 0xf5, 0xfb, 0x00, 0xac, 0x10, 0x4a, 0x38, 0x9f, },
++ { 0xda, 0x3a, 0x92, 0x8a, 0xd0, 0xcd, 0x12, 0xcd, 0x15, 0xbb, 0xab, 0x77,
++ 0x66, },
++ { 0xa2, 0x92, 0x1a, 0xe5, 0xca, 0x0c, 0x30, 0x75, 0xeb, 0xaf, 0x00, 0x31,
++ 0x55, 0x66, },
++ { 0x06, 0xea, 0xfd, 0x3e, 0x86, 0x38, 0x62, 0x4e, 0xa9, 0x12, 0xa4, 0x12,
++ 0x43, 0xbf, 0xa1, },
++ { 0xe4, 0x71, 0x7b, 0x94, 0xdb, 0xa0, 0xd2, 0xff, 0x9b, 0xeb, 0xad, 0x8e,
++ 0x95, 0x8a, 0xc5, 0xed, },
++ { 0x25, 0x5a, 0x77, 0x71, 0x41, 0x0e, 0x7a, 0xe9, 0xed, 0x0c, 0x10, 0xef,
++ 0xf6, 0x2b, 0x3a, 0xba, 0x60, },
++ { 0xee, 0xe2, 0xa3, 0x67, 0x64, 0x1d, 0xc6, 0x04, 0xc4, 0xe1, 0x68, 0xd2,
++ 0x6e, 0xd2, 0x91, 0x75, 0x53, 0x07, },
++ { 0xe0, 0xf6, 0x4d, 0x8f, 0x68, 0xfc, 0x06, 0x7e, 0x18, 0x79, 0x7f, 0x2b,
++ 0x6d, 0xef, 0x46, 0x7f, 0xab, 0xb2, 0xad, },
++ { 0x3d, 0x35, 0x88, 0x9f, 0x2e, 0xcf, 0x96, 0x45, 0x07, 0x60, 0x71, 0x94,
++ 0x00, 0x8d, 0xbf, 0xf4, 0xef, 0x46, 0x2e, 0x3c, },
++ { 0x43, 0xcf, 0x98, 0xf7, 0x2d, 0xf4, 0x17, 0xe7, 0x8c, 0x05, 0x2d, 0x9b,
++ 0x24, 0xfb, 0x4d, 0xea, 0x4a, 0xec, 0x01, 0x25, 0x29, },
++ { 0x8e, 0x73, 0x9a, 0x78, 0x11, 0xfe, 0x48, 0xa0, 0x3b, 0x1a, 0x26, 0xdf,
++ 0x25, 0xe9, 0x59, 0x1c, 0x70, 0x07, 0x9f, 0xdc, 0xa0, 0xa6, },
++ { 0xe8, 0x47, 0x71, 0xc7, 0x3e, 0xdf, 0xb5, 0x13, 0xb9, 0x85, 0x13, 0xa8,
++ 0x54, 0x47, 0x6e, 0x59, 0x96, 0x09, 0x13, 0x5f, 0x82, 0x16, 0x0b, },
++ { 0xfb, 0xc0, 0x8c, 0x03, 0x21, 0xb3, 0xc4, 0xb5, 0x43, 0x32, 0x6c, 0xea,
++ 0x7f, 0xa8, 0x43, 0x91, 0xe8, 0x4e, 0x3f, 0xbf, 0x45, 0x58, 0x6a, 0xa3, },
++ { 0x55, 0xf8, 0xf3, 0x00, 0x76, 0x09, 0xef, 0x69, 0x5d, 0xd2, 0x8a, 0xf2,
++ 0x65, 0xc3, 0xcb, 0x9b, 0x43, 0xfd, 0xb1, 0x7e, 0x7f, 0xa1, 0x94, 0xb0,
++ 0xd7, },
++ { 0xaa, 0x13, 0xc1, 0x51, 0x40, 0x6d, 0x8d, 0x4c, 0x0a, 0x95, 0x64, 0x7b,
++ 0xd1, 0x96, 0xb6, 0x56, 0xb4, 0x5b, 0xcf, 0xd6, 0xd9, 0x15, 0x97, 0xdd,
++ 0xb6, 0xef, },
++ { 0xaf, 0xb7, 0x36, 0xb0, 0x04, 0xdb, 0xd7, 0x9c, 0x9a, 0x44, 0xc4, 0xf6,
++ 0x1f, 0x12, 0x21, 0x2d, 0x59, 0x30, 0x54, 0xab, 0x27, 0x61, 0xa3, 0x57,
++ 0xef, 0xf8, 0x53, },
++ { 0x97, 0x34, 0x45, 0x3e, 0xce, 0x7c, 0x35, 0xa2, 0xda, 0x9f, 0x4b, 0x46,
++ 0x6c, 0x11, 0x67, 0xff, 0x2f, 0x76, 0x58, 0x15, 0x71, 0xfa, 0x44, 0x89,
++ 0x89, 0xfd, 0xf7, 0x99, },
++ { 0x1f, 0xb1, 0x62, 0xeb, 0x83, 0xc5, 0x9c, 0x89, 0xf9, 0x2c, 0xd2, 0x03,
++ 0x61, 0xbc, 0xbb, 0xa5, 0x74, 0x0e, 0x9b, 0x7e, 0x82, 0x3e, 0x70, 0x0a,
++ 0xa9, 0x8f, 0x2b, 0x59, 0xfb, },
++ { 0xf8, 0xca, 0x5e, 0x3a, 0x4f, 0x9e, 0x10, 0x69, 0x10, 0xd5, 0x4c, 0xeb,
++ 0x1a, 0x0f, 0x3c, 0x6a, 0x98, 0xf5, 0xb0, 0x97, 0x5b, 0x37, 0x2f, 0x0d,
++ 0xbd, 0x42, 0x4b, 0x69, 0xa1, 0x82, },
++ { 0x12, 0x8c, 0x6d, 0x52, 0x08, 0xef, 0x74, 0xb2, 0xe6, 0xaa, 0xd3, 0xb0,
++ 0x26, 0xb0, 0xd9, 0x94, 0xb6, 0x11, 0x45, 0x0e, 0x36, 0x71, 0x14, 0x2d,
++ 0x41, 0x8c, 0x21, 0x53, 0x31, 0xe9, 0x68, },
++ { 0xee, 0xea, 0x0d, 0x89, 0x47, 0x7e, 0x72, 0xd1, 0xd8, 0xce, 0x58, 0x4c,
++ 0x94, 0x1f, 0x0d, 0x51, 0x08, 0xa3, 0xb6, 0x3d, 0xe7, 0x82, 0x46, 0x92,
++ 0xd6, 0x98, 0x6b, 0x07, 0x10, 0x65, 0x52, 0x65, },
++};
++
++static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
++ { 0xce, 0xe1, 0x57, 0x69, 0x82, 0xdc, 0xbf, 0x43, 0xad, 0x56, 0x4c, 0x70,
++ 0xed, 0x68, 0x16, 0x96, 0xcf, 0xa4, 0x73, 0xe8, 0xe8, 0xfc, 0x32, 0x79,
++ 0x08, 0x0a, 0x75, 0x82, 0xda, 0x3f, 0x05, 0x11, },
++ { 0x77, 0x2f, 0x0c, 0x71, 0x41, 0xf4, 0x4b, 0x2b, 0xb3, 0xc6, 0xb6, 0xf9,
++ 0x60, 0xde, 0xe4, 0x52, 0x38, 0x66, 0xe8, 0xbf, 0x9b, 0x96, 0xc4, 0x9f,
++ 0x60, 0xd9, 0x24, 0x37, 0x99, 0xd6, 0xec, 0x31, },
++};
++
++bool __init blake2s_selftest(void)
++{
++ u8 key[BLAKE2S_KEY_SIZE];
++ u8 buf[ARRAY_SIZE(blake2s_testvecs)];
++ u8 hash[BLAKE2S_HASH_SIZE];
++ struct blake2s_state state;
++ bool success = true;
++ int i, l;
++
++ key[0] = key[1] = 1;
++ for (i = 2; i < sizeof(key); ++i)
++ key[i] = key[i - 2] + key[i - 1];
++
++ for (i = 0; i < sizeof(buf); ++i)
++ buf[i] = (u8)i;
++
++ for (i = l = 0; i < ARRAY_SIZE(blake2s_testvecs); l = (l + 37) % ++i) {
++ int outlen = 1 + i % BLAKE2S_HASH_SIZE;
++ int keylen = (13 * i) % (BLAKE2S_KEY_SIZE + 1);
++
++ blake2s(hash, buf, key + BLAKE2S_KEY_SIZE - keylen, outlen, i,
++ keylen);
++ if (memcmp(hash, blake2s_testvecs[i], outlen)) {
++ pr_err("blake2s self-test %d: FAIL\n", i + 1);
++ success = false;
++ }
++
++ if (!keylen)
++ blake2s_init(&state, outlen);
++ else
++ blake2s_init_key(&state, outlen,
++ key + BLAKE2S_KEY_SIZE - keylen,
++ keylen);
++
++ blake2s_update(&state, buf, l);
++ blake2s_update(&state, buf + l, i - l);
++ blake2s_final(&state, hash);
++ if (memcmp(hash, blake2s_testvecs[i], outlen)) {
++ pr_err("blake2s init/update/final self-test %d: FAIL\n",
++ i + 1);
++ success = false;
++ }
++ }
++
++ if (success) {
++ blake2s256_hmac(hash, buf, key, sizeof(buf), sizeof(key));
++ success &= !memcmp(hash, blake2s_hmac_testvecs[0], BLAKE2S_HASH_SIZE);
++
++ blake2s256_hmac(hash, key, buf, sizeof(key), sizeof(buf));
++ success &= !memcmp(hash, blake2s_hmac_testvecs[1], BLAKE2S_HASH_SIZE);
++
++ if (!success)
++ pr_err("blake2s256_hmac self-test: FAIL\n");
++ }
++
++ return success;
++}
+--- /dev/null
++++ b/lib/crypto/blake2s.c
+@@ -0,0 +1,115 @@
++// SPDX-License-Identifier: GPL-2.0 OR MIT
++/*
++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
++ *
++ * This is an implementation of the BLAKE2s hash and PRF functions.
++ *
++ * Information: https://blake2.net/
++ *
++ */
++
++#include <crypto/internal/blake2s.h>
++#include <linux/types.h>
++#include <linux/string.h>
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/init.h>
++#include <linux/bug.h>
++#include <asm/unaligned.h>
++
++bool blake2s_selftest(void);
++
++void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
++{
++ const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
++
++ if (unlikely(!inlen))
++ return;
++ if (inlen > fill) {
++ memcpy(state->buf + state->buflen, in, fill);
++ blake2s_compress_generic(state, state->buf, 1,
++ BLAKE2S_BLOCK_SIZE);
++ state->buflen = 0;
++ in += fill;
++ inlen -= fill;
++ }
++ if (inlen > BLAKE2S_BLOCK_SIZE) {
++ const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
++ /* Hash one less (full) block than strictly possible */
++ blake2s_compress_generic(state, in, nblocks - 1,
++ BLAKE2S_BLOCK_SIZE);
++ in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
++ inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
++ }
++ memcpy(state->buf + state->buflen, in, inlen);
++ state->buflen += inlen;
++}
++EXPORT_SYMBOL(blake2s_update);
++
++void blake2s_final(struct blake2s_state *state, u8 *out)
++{
++ WARN_ON(IS_ENABLED(DEBUG) && !out);
++ blake2s_set_lastblock(state);
++ memset(state->buf + state->buflen, 0,
++ BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
++ blake2s_compress_generic(state, state->buf, 1, state->buflen);
++ cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
++ memcpy(out, state->h, state->outlen);
++ memzero_explicit(state, sizeof(*state));
++}
++EXPORT_SYMBOL(blake2s_final);
++
++void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
++ const size_t keylen)
++{
++ struct blake2s_state state;
++ u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
++ u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
++ int i;
++
++ if (keylen > BLAKE2S_BLOCK_SIZE) {
++ blake2s_init(&state, BLAKE2S_HASH_SIZE);
++ blake2s_update(&state, key, keylen);
++ blake2s_final(&state, x_key);
++ } else
++ memcpy(x_key, key, keylen);
++
++ for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
++ x_key[i] ^= 0x36;
++
++ blake2s_init(&state, BLAKE2S_HASH_SIZE);
++ blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
++ blake2s_update(&state, in, inlen);
++ blake2s_final(&state, i_hash);
++
++ for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
++ x_key[i] ^= 0x5c ^ 0x36;
++
++ blake2s_init(&state, BLAKE2S_HASH_SIZE);
++ blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
++ blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
++ blake2s_final(&state, i_hash);
++
++ memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
++ memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
++ memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
++}
++EXPORT_SYMBOL(blake2s256_hmac);
++
++static int __init mod_init(void)
++{
++ if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
++ WARN_ON(!blake2s_selftest()))
++ return -ENODEV;
++ return 0;
++}
++
++static void __exit mod_exit(void)
++{
++}
++
++module_init(mod_init);
++module_exit(mod_exit);
++MODULE_LICENSE("GPL v2");
++MODULE_DESCRIPTION("BLAKE2s hash function");
++MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>");
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 23 Dec 2020 00:09:58 -0800
+Subject: crypto: blake2s - include <linux/bug.h> instead of <asm/bug.h>
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit bbda6e0f1303953c855ee3669655a81b69fbe899 upstream.
+
+Address the following checkpatch warning:
+
+ WARNING: Use #include <linux/bug.h> instead of <asm/bug.h>
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/crypto/blake2s.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/include/crypto/blake2s.h
++++ b/include/crypto/blake2s.h
+@@ -6,12 +6,11 @@
+ #ifndef BLAKE2S_H
+ #define BLAKE2S_H
+
++#include <linux/bug.h>
+ #include <linux/types.h>
+ #include <linux/kernel.h>
+ #include <linux/string.h>
+
+-#include <asm/bug.h>
+-
+ enum blake2s_lengths {
+ BLAKE2S_BLOCK_SIZE = 64,
+ BLAKE2S_HASH_SIZE = 32,
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 11 Sep 2018 20:05:10 -0700
+Subject: crypto: chacha20 - Fix chacha20_block() keystream alignment (again)
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit a5e9f557098e54af44ade5d501379be18435bfbf ]
+
+In commit 9f480faec58c ("crypto: chacha20 - Fix keystream alignment for
+chacha20_block()"), I had missed that chacha20_block() can be called
+directly on the buffer passed to get_random_bytes(), which can have any
+alignment. So, while my commit didn't break anything, it didn't fully
+solve the alignment problems.
+
+Revert my solution and just update chacha20_block() to use
+put_unaligned_le32(), so the output buffer need not be aligned.
+This is simpler, and on many CPUs it's the same speed.
+
+But, I kept the 'tmp' buffers in extract_crng_user() and
+_get_random_bytes() 4-byte aligned, since that alignment is actually
+needed for _crng_backtrack_protect() too.
+
+Reported-by: Stephan Müller <smueller@chronox.de>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/chacha20_generic.c | 7 ++++---
+ drivers/char/random.c | 24 ++++++++++++------------
+ include/crypto/chacha20.h | 3 +--
+ lib/chacha20.c | 6 +++---
+ 4 files changed, 20 insertions(+), 20 deletions(-)
+
+--- a/crypto/chacha20_generic.c
++++ b/crypto/chacha20_generic.c
+@@ -22,20 +22,21 @@ static inline u32 le32_to_cpuvp(const vo
+ static void chacha20_docrypt(u32 *state, u8 *dst, const u8 *src,
+ unsigned int bytes)
+ {
+- u32 stream[CHACHA20_BLOCK_WORDS];
++ /* aligned to potentially speed up crypto_xor() */
++ u8 stream[CHACHA20_BLOCK_SIZE] __aligned(sizeof(long));
+
+ if (dst != src)
+ memcpy(dst, src, bytes);
+
+ while (bytes >= CHACHA20_BLOCK_SIZE) {
+ chacha20_block(state, stream);
+- crypto_xor(dst, (const u8 *)stream, CHACHA20_BLOCK_SIZE);
++ crypto_xor(dst, stream, CHACHA20_BLOCK_SIZE);
+ bytes -= CHACHA20_BLOCK_SIZE;
+ dst += CHACHA20_BLOCK_SIZE;
+ }
+ if (bytes) {
+ chacha20_block(state, stream);
+- crypto_xor(dst, (const u8 *)stream, bytes);
++ crypto_xor(dst, stream, bytes);
+ }
+ }
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -485,9 +485,9 @@ static int crng_init_cnt = 0;
+ static unsigned long crng_global_init_time = 0;
+ #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE)
+ static void _extract_crng(struct crng_state *crng,
+- __u32 out[CHACHA20_BLOCK_WORDS]);
++ __u8 out[CHACHA20_BLOCK_SIZE]);
+ static void _crng_backtrack_protect(struct crng_state *crng,
+- __u32 tmp[CHACHA20_BLOCK_WORDS], int used);
++ __u8 tmp[CHACHA20_BLOCK_SIZE], int used);
+ static void process_random_ready_list(void);
+ static void _get_random_bytes(void *buf, int nbytes);
+
+@@ -986,7 +986,7 @@ static void crng_reseed(struct crng_stat
+ unsigned long flags;
+ int i, num;
+ union {
+- __u32 block[CHACHA20_BLOCK_WORDS];
++ __u8 block[CHACHA20_BLOCK_SIZE];
+ __u32 key[8];
+ } buf;
+
+@@ -1014,7 +1014,7 @@ static void crng_reseed(struct crng_stat
+ }
+
+ static void _extract_crng(struct crng_state *crng,
+- __u32 out[CHACHA20_BLOCK_WORDS])
++ __u8 out[CHACHA20_BLOCK_SIZE])
+ {
+ unsigned long flags, init_time;
+
+@@ -1032,7 +1032,7 @@ static void _extract_crng(struct crng_st
+ spin_unlock_irqrestore(&crng->lock, flags);
+ }
+
+-static void extract_crng(__u32 out[CHACHA20_BLOCK_WORDS])
++static void extract_crng(__u8 out[CHACHA20_BLOCK_SIZE])
+ {
+ _extract_crng(select_crng(), out);
+ }
+@@ -1042,7 +1042,7 @@ static void extract_crng(__u32 out[CHACH
+ * enough) to mutate the CRNG key to provide backtracking protection.
+ */
+ static void _crng_backtrack_protect(struct crng_state *crng,
+- __u32 tmp[CHACHA20_BLOCK_WORDS], int used)
++ __u8 tmp[CHACHA20_BLOCK_SIZE], int used)
+ {
+ unsigned long flags;
+ __u32 *s, *d;
+@@ -1054,14 +1054,14 @@ static void _crng_backtrack_protect(stru
+ used = 0;
+ }
+ spin_lock_irqsave(&crng->lock, flags);
+- s = &tmp[used / sizeof(__u32)];
++ s = (__u32 *) &tmp[used];
+ d = &crng->state[4];
+ for (i=0; i < 8; i++)
+ *d++ ^= *s++;
+ spin_unlock_irqrestore(&crng->lock, flags);
+ }
+
+-static void crng_backtrack_protect(__u32 tmp[CHACHA20_BLOCK_WORDS], int used)
++static void crng_backtrack_protect(__u8 tmp[CHACHA20_BLOCK_SIZE], int used)
+ {
+ _crng_backtrack_protect(select_crng(), tmp, used);
+ }
+@@ -1069,7 +1069,7 @@ static void crng_backtrack_protect(__u32
+ static ssize_t extract_crng_user(void __user *buf, size_t nbytes)
+ {
+ ssize_t ret = 0, i = CHACHA20_BLOCK_SIZE;
+- __u32 tmp[CHACHA20_BLOCK_WORDS];
++ __u8 tmp[CHACHA20_BLOCK_SIZE] __aligned(4);
+ int large_request = (nbytes > 256);
+
+ while (nbytes) {
+@@ -1529,7 +1529,7 @@ static void _warn_unseeded_randomness(co
+ */
+ static void _get_random_bytes(void *buf, int nbytes)
+ {
+- __u32 tmp[CHACHA20_BLOCK_WORDS];
++ __u8 tmp[CHACHA20_BLOCK_SIZE] __aligned(4);
+
+ trace_get_random_bytes(nbytes, _RET_IP_);
+
+@@ -2116,7 +2116,7 @@ u64 get_random_u64(void)
+ batch = raw_cpu_ptr(&batched_entropy_u64);
+ spin_lock_irqsave(&batch->batch_lock, flags);
+ if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0) {
+- extract_crng((__u32 *)batch->entropy_u64);
++ extract_crng((u8 *)batch->entropy_u64);
+ batch->position = 0;
+ }
+ ret = batch->entropy_u64[batch->position++];
+@@ -2140,7 +2140,7 @@ u32 get_random_u32(void)
+ batch = raw_cpu_ptr(&batched_entropy_u32);
+ spin_lock_irqsave(&batch->batch_lock, flags);
+ if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0) {
+- extract_crng(batch->entropy_u32);
++ extract_crng((u8 *)batch->entropy_u32);
+ batch->position = 0;
+ }
+ ret = batch->entropy_u32[batch->position++];
+--- a/include/crypto/chacha20.h
++++ b/include/crypto/chacha20.h
+@@ -13,13 +13,12 @@
+ #define CHACHA20_IV_SIZE 16
+ #define CHACHA20_KEY_SIZE 32
+ #define CHACHA20_BLOCK_SIZE 64
+-#define CHACHA20_BLOCK_WORDS (CHACHA20_BLOCK_SIZE / sizeof(u32))
+
+ struct chacha20_ctx {
+ u32 key[8];
+ };
+
+-void chacha20_block(u32 *state, u32 *stream);
++void chacha20_block(u32 *state, u8 *stream);
+ void crypto_chacha20_init(u32 *state, struct chacha20_ctx *ctx, u8 *iv);
+ int crypto_chacha20_setkey(struct crypto_skcipher *tfm, const u8 *key,
+ unsigned int keysize);
+--- a/lib/chacha20.c
++++ b/lib/chacha20.c
+@@ -21,9 +21,9 @@ static inline u32 rotl32(u32 v, u8 n)
+ return (v << n) | (v >> (sizeof(v) * 8 - n));
+ }
+
+-void chacha20_block(u32 *state, u32 *stream)
++void chacha20_block(u32 *state, u8 *stream)
+ {
+- u32 x[16], *out = stream;
++ u32 x[16];
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(x); i++)
+@@ -72,7 +72,7 @@ void chacha20_block(u32 *state, u32 *str
+ }
+
+ for (i = 0; i < ARRAY_SIZE(x); i++)
+- out[i] = cpu_to_le32(x[i] + state[i]);
++ put_unaligned_le32(x[i] + state[i], &stream[i * sizeof(u32)]);
+
+ state[12]++;
+ }
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 22 Nov 2017 11:51:39 -0800
+Subject: crypto: chacha20 - Fix keystream alignment for chacha20_block()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 9f480faec58cd6197a007ea1dcac6b7c3daf1139 upstream.
+
+When chacha20_block() outputs the keystream block, it uses 'u32' stores
+directly. However, the callers (crypto/chacha20_generic.c and
+drivers/char/random.c) declare the keystream buffer as a 'u8' array,
+which is not guaranteed to have the needed alignment.
+
+Fix it by having both callers declare the keystream as a 'u32' array.
+For now this is preferable to switching over to the unaligned access
+macros because chacha20_block() is only being used in cases where we can
+easily control the alignment (stack buffers).
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/chacha20_generic.c | 6 +++---
+ drivers/char/random.c | 24 ++++++++++++------------
+ include/crypto/chacha20.h | 3 ++-
+ lib/chacha20.c | 2 +-
+ 4 files changed, 18 insertions(+), 17 deletions(-)
+
+--- a/crypto/chacha20_generic.c
++++ b/crypto/chacha20_generic.c
+@@ -22,20 +22,20 @@ static inline u32 le32_to_cpuvp(const vo
+ static void chacha20_docrypt(u32 *state, u8 *dst, const u8 *src,
+ unsigned int bytes)
+ {
+- u8 stream[CHACHA20_BLOCK_SIZE];
++ u32 stream[CHACHA20_BLOCK_WORDS];
+
+ if (dst != src)
+ memcpy(dst, src, bytes);
+
+ while (bytes >= CHACHA20_BLOCK_SIZE) {
+ chacha20_block(state, stream);
+- crypto_xor(dst, stream, CHACHA20_BLOCK_SIZE);
++ crypto_xor(dst, (const u8 *)stream, CHACHA20_BLOCK_SIZE);
+ bytes -= CHACHA20_BLOCK_SIZE;
+ dst += CHACHA20_BLOCK_SIZE;
+ }
+ if (bytes) {
+ chacha20_block(state, stream);
+- crypto_xor(dst, stream, bytes);
++ crypto_xor(dst, (const u8 *)stream, bytes);
+ }
+ }
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -433,9 +433,9 @@ static int crng_init_cnt = 0;
+ static unsigned long crng_global_init_time = 0;
+ #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE)
+ static void _extract_crng(struct crng_state *crng,
+- __u8 out[CHACHA20_BLOCK_SIZE]);
++ __u32 out[CHACHA20_BLOCK_WORDS]);
+ static void _crng_backtrack_protect(struct crng_state *crng,
+- __u8 tmp[CHACHA20_BLOCK_SIZE], int used);
++ __u32 tmp[CHACHA20_BLOCK_WORDS], int used);
+ static void process_random_ready_list(void);
+ static void _get_random_bytes(void *buf, int nbytes);
+
+@@ -929,7 +929,7 @@ static void crng_reseed(struct crng_stat
+ unsigned long flags;
+ int i, num;
+ union {
+- __u8 block[CHACHA20_BLOCK_SIZE];
++ __u32 block[CHACHA20_BLOCK_WORDS];
+ __u32 key[8];
+ } buf;
+
+@@ -976,7 +976,7 @@ static void crng_reseed(struct crng_stat
+ }
+
+ static void _extract_crng(struct crng_state *crng,
+- __u8 out[CHACHA20_BLOCK_SIZE])
++ __u32 out[CHACHA20_BLOCK_WORDS])
+ {
+ unsigned long v, flags, init_time;
+
+@@ -996,7 +996,7 @@ static void _extract_crng(struct crng_st
+ spin_unlock_irqrestore(&crng->lock, flags);
+ }
+
+-static void extract_crng(__u8 out[CHACHA20_BLOCK_SIZE])
++static void extract_crng(__u32 out[CHACHA20_BLOCK_WORDS])
+ {
+ _extract_crng(select_crng(), out);
+ }
+@@ -1006,7 +1006,7 @@ static void extract_crng(__u8 out[CHACHA
+ * enough) to mutate the CRNG key to provide backtracking protection.
+ */
+ static void _crng_backtrack_protect(struct crng_state *crng,
+- __u8 tmp[CHACHA20_BLOCK_SIZE], int used)
++ __u32 tmp[CHACHA20_BLOCK_WORDS], int used)
+ {
+ unsigned long flags;
+ __u32 *s, *d;
+@@ -1018,14 +1018,14 @@ static void _crng_backtrack_protect(stru
+ used = 0;
+ }
+ spin_lock_irqsave(&crng->lock, flags);
+- s = (__u32 *) &tmp[used];
++ s = &tmp[used / sizeof(__u32)];
+ d = &crng->state[4];
+ for (i=0; i < 8; i++)
+ *d++ ^= *s++;
+ spin_unlock_irqrestore(&crng->lock, flags);
+ }
+
+-static void crng_backtrack_protect(__u8 tmp[CHACHA20_BLOCK_SIZE], int used)
++static void crng_backtrack_protect(__u32 tmp[CHACHA20_BLOCK_WORDS], int used)
+ {
+ _crng_backtrack_protect(select_crng(), tmp, used);
+ }
+@@ -1033,7 +1033,7 @@ static void crng_backtrack_protect(__u8
+ static ssize_t extract_crng_user(void __user *buf, size_t nbytes)
+ {
+ ssize_t ret = 0, i = CHACHA20_BLOCK_SIZE;
+- __u8 tmp[CHACHA20_BLOCK_SIZE];
++ __u32 tmp[CHACHA20_BLOCK_WORDS];
+ int large_request = (nbytes > 256);
+
+ while (nbytes) {
+@@ -1619,7 +1619,7 @@ static void _warn_unseeded_randomness(co
+ */
+ static void _get_random_bytes(void *buf, int nbytes)
+ {
+- __u8 tmp[CHACHA20_BLOCK_SIZE];
++ __u32 tmp[CHACHA20_BLOCK_WORDS];
+
+ trace_get_random_bytes(nbytes, _RET_IP_);
+
+@@ -2220,7 +2220,7 @@ u64 get_random_u64(void)
+ batch = raw_cpu_ptr(&batched_entropy_u64);
+ spin_lock_irqsave(&batch->batch_lock, flags);
+ if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0) {
+- extract_crng((u8 *)batch->entropy_u64);
++ extract_crng((__u32 *)batch->entropy_u64);
+ batch->position = 0;
+ }
+ ret = batch->entropy_u64[batch->position++];
+@@ -2244,7 +2244,7 @@ u32 get_random_u32(void)
+ batch = raw_cpu_ptr(&batched_entropy_u32);
+ spin_lock_irqsave(&batch->batch_lock, flags);
+ if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0) {
+- extract_crng((u8 *)batch->entropy_u32);
++ extract_crng(batch->entropy_u32);
+ batch->position = 0;
+ }
+ ret = batch->entropy_u32[batch->position++];
+--- a/include/crypto/chacha20.h
++++ b/include/crypto/chacha20.h
+@@ -13,12 +13,13 @@
+ #define CHACHA20_IV_SIZE 16
+ #define CHACHA20_KEY_SIZE 32
+ #define CHACHA20_BLOCK_SIZE 64
++#define CHACHA20_BLOCK_WORDS (CHACHA20_BLOCK_SIZE / sizeof(u32))
+
+ struct chacha20_ctx {
+ u32 key[8];
+ };
+
+-void chacha20_block(u32 *state, void *stream);
++void chacha20_block(u32 *state, u32 *stream);
+ void crypto_chacha20_init(u32 *state, struct chacha20_ctx *ctx, u8 *iv);
+ int crypto_chacha20_setkey(struct crypto_skcipher *tfm, const u8 *key,
+ unsigned int keysize);
+--- a/lib/chacha20.c
++++ b/lib/chacha20.c
+@@ -21,7 +21,7 @@ static inline u32 rotl32(u32 v, u8 n)
+ return (v << n) | (v >> (sizeof(v) * 8 - n));
+ }
+
+-extern void chacha20_block(u32 *state, void *stream)
++void chacha20_block(u32 *state, u32 *stream)
+ {
+ u32 x[16], *out = stream;
+ int i;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Wed, 21 Mar 2018 19:01:40 +0200
+Subject: crypto: Deduplicate le32_to_cpu_array() and cpu_to_le32_array()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 9def051018c08e65c532822749e857eb4b2e12e7 upstream.
+
+Deduplicate le32_to_cpu_array() and cpu_to_le32_array() by moving them
+to the generic header.
+
+No functional change implied.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/md4.c | 17 -----------------
+ crypto/md5.c | 17 -----------------
+ include/linux/byteorder/generic.h | 17 +++++++++++++++++
+ 3 files changed, 17 insertions(+), 34 deletions(-)
+
+--- a/crypto/md4.c
++++ b/crypto/md4.c
+@@ -64,23 +64,6 @@ static inline u32 H(u32 x, u32 y, u32 z)
+ #define ROUND2(a,b,c,d,k,s) (a = lshift(a + G(b,c,d) + k + (u32)0x5A827999,s))
+ #define ROUND3(a,b,c,d,k,s) (a = lshift(a + H(b,c,d) + k + (u32)0x6ED9EBA1,s))
+
+-/* XXX: this stuff can be optimized */
+-static inline void le32_to_cpu_array(u32 *buf, unsigned int words)
+-{
+- while (words--) {
+- __le32_to_cpus(buf);
+- buf++;
+- }
+-}
+-
+-static inline void cpu_to_le32_array(u32 *buf, unsigned int words)
+-{
+- while (words--) {
+- __cpu_to_le32s(buf);
+- buf++;
+- }
+-}
+-
+ static void md4_transform(u32 *hash, u32 const *in)
+ {
+ u32 a, b, c, d;
+--- a/crypto/md5.c
++++ b/crypto/md5.c
+@@ -32,23 +32,6 @@ const u8 md5_zero_message_hash[MD5_DIGES
+ };
+ EXPORT_SYMBOL_GPL(md5_zero_message_hash);
+
+-/* XXX: this stuff can be optimized */
+-static inline void le32_to_cpu_array(u32 *buf, unsigned int words)
+-{
+- while (words--) {
+- __le32_to_cpus(buf);
+- buf++;
+- }
+-}
+-
+-static inline void cpu_to_le32_array(u32 *buf, unsigned int words)
+-{
+- while (words--) {
+- __cpu_to_le32s(buf);
+- buf++;
+- }
+-}
+-
+ #define F1(x, y, z) (z ^ (x & (y ^ z)))
+ #define F2(x, y, z) F1(z, x, y)
+ #define F3(x, y, z) (x ^ y ^ z)
+--- a/include/linux/byteorder/generic.h
++++ b/include/linux/byteorder/generic.h
+@@ -156,6 +156,23 @@ static inline void le64_add_cpu(__le64 *
+ *var = cpu_to_le64(le64_to_cpu(*var) + val);
+ }
+
++/* XXX: this stuff can be optimized */
++static inline void le32_to_cpu_array(u32 *buf, unsigned int words)
++{
++ while (words--) {
++ __le32_to_cpus(buf);
++ buf++;
++ }
++}
++
++static inline void cpu_to_le32_array(u32 *buf, unsigned int words)
++{
++ while (words--) {
++ __cpu_to_le32s(buf);
++ buf++;
++ }
++}
++
+ static inline void be16_add_cpu(__be16 *var, u16 val)
+ {
+ *var = cpu_to_be16(be16_to_cpu(*var) + val);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Stephan Mueller <smueller@chronox.de>
+Date: Wed, 8 May 2019 16:19:24 +0200
+Subject: crypto: drbg - add FIPS 140-2 CTRNG for noise source
+
+From: Stephan Mueller <smueller@chronox.de>
+
+commit db07cd26ac6a418dc2823187958edcfdb415fa83 upstream.
+
+FIPS 140-2 section 4.9.2 requires a continuous self test of the noise
+source. Up to kernel 4.8 drivers/char/random.c provided this continuous
+self test. Afterwards it was moved to a location that is inconsistent
+with the FIPS 140-2 requirements. The relevant patch was
+e192be9d9a30555aae2ca1dc3aad37cba484cd4a .
+
+Thus, the FIPS 140-2 CTRNG is added to the DRBG when it obtains the
+seed. This patch resurrects the function drbg_fips_continous_test that
+existed some time ago and applies it to the noise sources. The patch
+that removed the drbg_fips_continous_test was
+b3614763059b82c26bdd02ffcb1c016c1132aad0 .
+
+The Jitter RNG implements its own FIPS 140-2 self test and thus does not
+need to be subjected to the test in the DRBG.
+
+The patch contains a tiny fix to ensure proper zeroization in case of an
+error during the Jitter RNG data gathering.
+
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Reviewed-by: Yann Droneaud <ydroneaud@opteya.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/drbg.c | 94 ++++++++++++++++++++++++++++++++++++++++++++++++--
+ include/crypto/drbg.h | 2 +
+ 2 files changed, 93 insertions(+), 3 deletions(-)
+
+--- a/crypto/drbg.c
++++ b/crypto/drbg.c
+@@ -220,6 +220,57 @@ static inline unsigned short drbg_sec_st
+ }
+
+ /*
++ * FIPS 140-2 continuous self test for the noise source
++ * The test is performed on the noise source input data. Thus, the function
++ * implicitly knows the size of the buffer to be equal to the security
++ * strength.
++ *
++ * Note, this function disregards the nonce trailing the entropy data during
++ * initial seeding.
++ *
++ * drbg->drbg_mutex must have been taken.
++ *
++ * @drbg DRBG handle
++ * @entropy buffer of seed data to be checked
++ *
++ * return:
++ * 0 on success
++ * -EAGAIN on when the CTRNG is not yet primed
++ * < 0 on error
++ */
++static int drbg_fips_continuous_test(struct drbg_state *drbg,
++ const unsigned char *entropy)
++{
++ unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
++ int ret = 0;
++
++ if (!IS_ENABLED(CONFIG_CRYPTO_FIPS))
++ return 0;
++
++ /* skip test if we test the overall system */
++ if (list_empty(&drbg->test_data.list))
++ return 0;
++ /* only perform test in FIPS mode */
++ if (!fips_enabled)
++ return 0;
++
++ if (!drbg->fips_primed) {
++ /* Priming of FIPS test */
++ memcpy(drbg->prev, entropy, entropylen);
++ drbg->fips_primed = true;
++ /* priming: another round is needed */
++ return -EAGAIN;
++ }
++ ret = memcmp(drbg->prev, entropy, entropylen);
++ if (!ret)
++ panic("DRBG continuous self test failed\n");
++ memcpy(drbg->prev, entropy, entropylen);
++
++ /* the test shall pass when the two values are not equal */
++ return 0;
++}
++
++/*
+ * Convert an integer into a byte representation of this integer.
+ * The byte representation is big-endian
+ *
+@@ -1000,6 +1051,22 @@ static inline int __drbg_seed(struct drb
+ return ret;
+ }
+
++static inline int drbg_get_random_bytes(struct drbg_state *drbg,
++ unsigned char *entropy,
++ unsigned int entropylen)
++{
++ int ret;
++
++ do {
++ get_random_bytes(entropy, entropylen);
++ ret = drbg_fips_continuous_test(drbg, entropy);
++ if (ret && ret != -EAGAIN)
++ return ret;
++ } while (ret);
++
++ return 0;
++}
++
+ static void drbg_async_seed(struct work_struct *work)
+ {
+ struct drbg_string data;
+@@ -1008,16 +1075,20 @@ static void drbg_async_seed(struct work_
+ seed_work);
+ unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
+ unsigned char entropy[32];
++ int ret;
+
+ BUG_ON(!entropylen);
+ BUG_ON(entropylen > sizeof(entropy));
+- get_random_bytes(entropy, entropylen);
+
+ drbg_string_fill(&data, entropy, entropylen);
+ list_add_tail(&data.list, &seedlist);
+
+ mutex_lock(&drbg->drbg_mutex);
+
++ ret = drbg_get_random_bytes(drbg, entropy, entropylen);
++ if (ret)
++ goto unlock;
++
+ /* If nonblocking pool is initialized, deactivate Jitter RNG */
+ crypto_free_rng(drbg->jent);
+ drbg->jent = NULL;
+@@ -1032,6 +1103,7 @@ static void drbg_async_seed(struct work_
+ if (drbg->seeded)
+ drbg->reseed_threshold = drbg_max_requests(drbg);
+
++unlock:
+ mutex_unlock(&drbg->drbg_mutex);
+
+ memzero_explicit(entropy, entropylen);
+@@ -1083,7 +1155,9 @@ static int drbg_seed(struct drbg_state *
+ BUG_ON((entropylen * 2) > sizeof(entropy));
+
+ /* Get seed from in-kernel /dev/urandom */
+- get_random_bytes(entropy, entropylen);
++ ret = drbg_get_random_bytes(drbg, entropy, entropylen);
++ if (ret)
++ goto out;
+
+ if (!drbg->jent) {
+ drbg_string_fill(&data1, entropy, entropylen);
+@@ -1096,7 +1170,7 @@ static int drbg_seed(struct drbg_state *
+ entropylen);
+ if (ret) {
+ pr_devel("DRBG: jent failed with %d\n", ret);
+- return ret;
++ goto out;
+ }
+
+ drbg_string_fill(&data1, entropy, entropylen * 2);
+@@ -1123,6 +1197,7 @@ static int drbg_seed(struct drbg_state *
+
+ ret = __drbg_seed(drbg, &seedlist, reseed);
+
++out:
+ memzero_explicit(entropy, entropylen * 2);
+
+ return ret;
+@@ -1144,6 +1219,11 @@ static inline void drbg_dealloc_state(st
+ drbg->reseed_ctr = 0;
+ drbg->d_ops = NULL;
+ drbg->core = NULL;
++ if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
++ kzfree(drbg->prev);
++ drbg->prev = NULL;
++ drbg->fips_primed = false;
++ }
+ }
+
+ /*
+@@ -1213,6 +1293,14 @@ static inline int drbg_alloc_state(struc
+ drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
+ }
+
++ if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
++ drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
++ GFP_KERNEL);
++ if (!drbg->prev)
++ goto fini;
++ drbg->fips_primed = false;
++ }
++
+ return 0;
+
+ fini:
+--- a/include/crypto/drbg.h
++++ b/include/crypto/drbg.h
+@@ -131,6 +131,8 @@ struct drbg_state {
+
+ bool seeded; /* DRBG fully seeded? */
+ bool pr; /* Prediction resistance enabled? */
++ bool fips_primed; /* Continuous test primed? */
++ unsigned char *prev; /* FIPS 140-2 continuous test value */
+ struct work_struct seed_work; /* asynchronous seeding support */
+ struct crypto_rng *jent;
+ const struct drbg_state_ops *d_ops;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Stephan Müller" <smueller@chronox.de>
+Date: Fri, 17 Apr 2020 21:34:03 +0200
+Subject: crypto: drbg - always seeded with SP800-90B compliant noise source
+
+From: "Stephan Müller" <smueller@chronox.de>
+
+commit 97f2650e504033376e8813691cb6eccf73151676 upstream.
+
+As the Jitter RNG provides an SP800-90B compliant noise source, use this
+noise source always for the (re)seeding of the DRBG.
+
+To make sure the DRBG is always properly seeded, the reseed threshold
+is reduced to 1<<20 generate operations.
+
+The Jitter RNG may report health test failures. Such health test
+failures are treated as transient as follows. The DRBG will not reseed
+from the Jitter RNG (but from get_random_bytes) in case of a health
+test failure. Though, it produces the requested random number.
+
+The Jitter RNG has a failure counter where at most 1024 consecutive
+resets due to a health test failure are considered as a transient error.
+If more consecutive resets are required, the Jitter RNG will return
+a permanent error which is returned to the caller by the DRBG. With this
+approach, the worst case reseed threshold is significantly lower than
+mandated by SP800-90A in order to seed with an SP800-90B noise source:
+the DRBG has a reseed threshold of 2^20 * 1024 = 2^30 generate requests.
+
+Yet, in case of a transient Jitter RNG health test failure, the DRBG is
+seeded with the data obtained from get_random_bytes.
+
+However, if the Jitter RNG fails during the initial seeding operation
+even due to a health test error, the DRBG will send an error to the
+caller because at that time, the DRBG has received no seed that is
+SP800-90B compliant.
+
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/drbg.c | 26 +++++++++++++++++++-------
+ include/crypto/drbg.h | 6 +-----
+ 2 files changed, 20 insertions(+), 12 deletions(-)
+
+--- a/crypto/drbg.c
++++ b/crypto/drbg.c
+@@ -1089,10 +1089,6 @@ static void drbg_async_seed(struct work_
+ if (ret)
+ goto unlock;
+
+- /* If nonblocking pool is initialized, deactivate Jitter RNG */
+- crypto_free_rng(drbg->jent);
+- drbg->jent = NULL;
+-
+ /* Set seeded to false so that if __drbg_seed fails the
+ * next generate call will trigger a reseed.
+ */
+@@ -1170,7 +1166,23 @@ static int drbg_seed(struct drbg_state *
+ entropylen);
+ if (ret) {
+ pr_devel("DRBG: jent failed with %d\n", ret);
+- goto out;
++
++ /*
++ * Do not treat the transient failure of the
++ * Jitter RNG as an error that needs to be
++ * reported. The combined number of the
++ * maximum reseed threshold times the maximum
++ * number of Jitter RNG transient errors is
++ * less than the reseed threshold required by
++ * SP800-90A allowing us to treat the
++ * transient errors as such.
++ *
++ * However, we mandate that at least the first
++ * seeding operation must succeed with the
++ * Jitter RNG.
++ */
++ if (!reseed || ret != -EAGAIN)
++ goto out;
+ }
+
+ drbg_string_fill(&data1, entropy, entropylen * 2);
+@@ -1495,6 +1507,8 @@ static int drbg_prepare_hrng(struct drbg
+ if (list_empty(&drbg->test_data.list))
+ return 0;
+
++ drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
++
+ INIT_WORK(&drbg->seed_work, drbg_async_seed);
+
+ drbg->random_ready.notifier_call = drbg_schedule_async_seed;
+@@ -1513,8 +1527,6 @@ static int drbg_prepare_hrng(struct drbg
+ return err;
+ }
+
+- drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
+-
+ /*
+ * Require frequent reseeds until the seed source is fully
+ * initialized.
+--- a/include/crypto/drbg.h
++++ b/include/crypto/drbg.h
+@@ -186,11 +186,7 @@ static inline size_t drbg_max_addtl(stru
+ static inline size_t drbg_max_requests(struct drbg_state *drbg)
+ {
+ /* SP800-90A requires 2**48 maximum requests before reseeding */
+-#if (__BITS_PER_LONG == 32)
+- return SIZE_MAX;
+-#else
+- return (1UL<<48);
+-#endif
++ return (1<<20);
+ }
+
+ /*
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Stephan Müller" <smueller@chronox.de>
+Date: Sun, 7 Jun 2020 15:20:26 +0200
+Subject: crypto: drbg - always try to free Jitter RNG instance
+
+From: "Stephan Müller" <smueller@chronox.de>
+
+commit 819966c06b759022e9932f328284314d9272b9f3 upstream.
+
+The Jitter RNG is unconditionally allocated as a seed source follwoing
+the patch 97f2650e5040. Thus, the instance must always be deallocated.
+
+Reported-by: syzbot+2e635807decef724a1fa@syzkaller.appspotmail.com
+Fixes: 97f2650e5040 ("crypto: drbg - always seeded with SP800-90B ...")
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/drbg.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/crypto/drbg.c
++++ b/crypto/drbg.c
+@@ -1646,10 +1646,12 @@ static int drbg_uninstantiate(struct drb
+ if (drbg->random_ready.notifier_call) {
+ unregister_random_ready_notifier(&drbg->random_ready);
+ cancel_work_sync(&drbg->seed_work);
+- crypto_free_rng(drbg->jent);
+- drbg->jent = NULL;
+ }
+
++ if (!IS_ERR_OR_NULL(drbg->jent))
++ crypto_free_rng(drbg->jent);
++ drbg->jent = NULL;
++
+ if (drbg->d_ops)
+ drbg->d_ops->crypto_fini(drbg);
+ drbg_dealloc_state(drbg);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Nicolai Stange <nstange@suse.de>
+Date: Thu, 2 Jun 2022 22:22:32 +0200
+Subject: crypto: drbg - make reseeding from get_random_bytes() synchronous
+
+From: Nicolai Stange <nstange@suse.de>
+
+commit 074bcd4000e0d812bc253f86fedc40f81ed59ccc upstream.
+
+get_random_bytes() usually hasn't full entropy available by the time DRBG
+instances are first getting seeded from it during boot. Thus, the DRBG
+implementation registers random_ready_callbacks which would in turn
+schedule some work for reseeding the DRBGs once get_random_bytes() has
+sufficient entropy available.
+
+For reference, the relevant history around handling DRBG (re)seeding in
+the context of a not yet fully seeded get_random_bytes() is:
+
+ commit 16b369a91d0d ("random: Blocking API for accessing
+ nonblocking_pool")
+ commit 4c7879907edd ("crypto: drbg - add async seeding operation")
+
+ commit 205a525c3342 ("random: Add callback API for random pool
+ readiness")
+ commit 57225e679788 ("crypto: drbg - Use callback API for random
+ readiness")
+ commit c2719503f5e1 ("random: Remove kernel blocking API")
+
+However, some time later, the initialization state of get_random_bytes()
+has been made queryable via rng_is_initialized() introduced with commit
+9a47249d444d ("random: Make crng state queryable"). This primitive now
+allows for streamlining the DRBG reseeding from get_random_bytes() by
+replacing that aforementioned asynchronous work scheduling from
+random_ready_callbacks with some simpler, synchronous code in
+drbg_generate() next to the related logic already present therein. Apart
+from improving overall code readability, this change will also enable DRBG
+users to rely on wait_for_random_bytes() for ensuring that the initial
+seeding has completed, if desired.
+
+The previous patches already laid the grounds by making drbg_seed() to
+record at each DRBG instance whether it was being seeded at a time when
+rng_is_initialized() still had been false as indicated by
+->seeded == DRBG_SEED_STATE_PARTIAL.
+
+All that remains to be done now is to make drbg_generate() check for this
+condition, determine whether rng_is_initialized() has flipped to true in
+the meanwhile and invoke a reseed from get_random_bytes() if so.
+
+Make this move:
+- rename the former drbg_async_seed() work handler, i.e. the one in charge
+ of reseeding a DRBG instance from get_random_bytes(), to
+ "drbg_seed_from_random()",
+- change its signature as appropriate, i.e. make it take a struct
+ drbg_state rather than a work_struct and change its return type from
+ "void" to "int" in order to allow for passing error information from
+ e.g. its __drbg_seed() invocation onwards to callers,
+- make drbg_generate() invoke this drbg_seed_from_random() once it
+ encounters a DRBG instance with ->seeded == DRBG_SEED_STATE_PARTIAL by
+ the time rng_is_initialized() has flipped to true and
+- prune everything related to the former, random_ready_callback based
+ mechanism.
+
+As drbg_seed_from_random() is now getting invoked from drbg_generate() with
+the ->drbg_mutex being held, it must not attempt to recursively grab it
+once again. Remove the corresponding mutex operations from what is now
+drbg_seed_from_random(). Furthermore, as drbg_seed_from_random() can now
+report errors directly to its caller, there's no need for it to temporarily
+switch the DRBG's ->seeded state to DRBG_SEED_STATE_UNSEEDED so that a
+failure of the subsequently invoked __drbg_seed() will get signaled to
+drbg_generate(). Don't do it then.
+
+Signed-off-by: Nicolai Stange <nstange@suse.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+[Jason: for stable, undid the modifications for the backport of 5acd3548.]
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/drbg.c | 61 +++++++++-----------------------------------------
+ drivers/char/random.c | 2 -
+ include/crypto/drbg.h | 2 -
+ 3 files changed, 11 insertions(+), 54 deletions(-)
+
+--- a/crypto/drbg.c
++++ b/crypto/drbg.c
+@@ -1087,12 +1087,10 @@ static inline int drbg_get_random_bytes(
+ return 0;
+ }
+
+-static void drbg_async_seed(struct work_struct *work)
++static int drbg_seed_from_random(struct drbg_state *drbg)
+ {
+ struct drbg_string data;
+ LIST_HEAD(seedlist);
+- struct drbg_state *drbg = container_of(work, struct drbg_state,
+- seed_work);
+ unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
+ unsigned char entropy[32];
+ int ret;
+@@ -1103,23 +1101,15 @@ static void drbg_async_seed(struct work_
+ drbg_string_fill(&data, entropy, entropylen);
+ list_add_tail(&data.list, &seedlist);
+
+- mutex_lock(&drbg->drbg_mutex);
+-
+ ret = drbg_get_random_bytes(drbg, entropy, entropylen);
+ if (ret)
+- goto unlock;
+-
+- /* Reset ->seeded so that if __drbg_seed fails the next
+- * generate call will trigger a reseed.
+- */
+- drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
++ goto out;
+
+- __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
+-
+-unlock:
+- mutex_unlock(&drbg->drbg_mutex);
++ ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
+
++out:
+ memzero_explicit(entropy, entropylen);
++ return ret;
+ }
+
+ /*
+@@ -1420,6 +1410,11 @@ static int drbg_generate(struct drbg_sta
+ goto err;
+ /* 9.3.1 step 7.4 */
+ addtl = NULL;
++ } else if (rng_is_initialized() &&
++ drbg->seeded == DRBG_SEED_STATE_PARTIAL) {
++ len = drbg_seed_from_random(drbg);
++ if (len)
++ goto err;
+ }
+
+ if (addtl && 0 < addtl->len)
+@@ -1512,44 +1507,15 @@ static int drbg_generate_long(struct drb
+ return 0;
+ }
+
+-static int drbg_schedule_async_seed(struct notifier_block *nb, unsigned long action, void *data)
+-{
+- struct drbg_state *drbg = container_of(nb, struct drbg_state,
+- random_ready);
+-
+- schedule_work(&drbg->seed_work);
+- return 0;
+-}
+-
+ static int drbg_prepare_hrng(struct drbg_state *drbg)
+ {
+- int err;
+-
+ /* We do not need an HRNG in test mode. */
+ if (list_empty(&drbg->test_data.list))
+ return 0;
+
+ drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
+
+- INIT_WORK(&drbg->seed_work, drbg_async_seed);
+-
+- drbg->random_ready.notifier_call = drbg_schedule_async_seed;
+- err = register_random_ready_notifier(&drbg->random_ready);
+-
+- switch (err) {
+- case 0:
+- break;
+-
+- case -EALREADY:
+- err = 0;
+- /* fall through */
+-
+- default:
+- drbg->random_ready.notifier_call = NULL;
+- return err;
+- }
+-
+- return err;
++ return 0;
+ }
+
+ /*
+@@ -1643,11 +1609,6 @@ free_everything:
+ */
+ static int drbg_uninstantiate(struct drbg_state *drbg)
+ {
+- if (drbg->random_ready.notifier_call) {
+- unregister_random_ready_notifier(&drbg->random_ready);
+- cancel_work_sync(&drbg->seed_work);
+- }
+-
+ if (!IS_ERR_OR_NULL(drbg->jent))
+ crypto_free_rng(drbg->jent);
+ drbg->jent = NULL;
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -157,7 +157,6 @@ int __cold register_random_ready_notifie
+ spin_unlock_irqrestore(&random_ready_chain_lock, flags);
+ return ret;
+ }
+-EXPORT_SYMBOL(register_random_ready_notifier);
+
+ /*
+ * Delete a previously registered readiness callback function.
+@@ -172,7 +171,6 @@ int __cold unregister_random_ready_notif
+ spin_unlock_irqrestore(&random_ready_chain_lock, flags);
+ return ret;
+ }
+-EXPORT_SYMBOL(unregister_random_ready_notifier);
+
+ static void __cold process_random_ready_list(void)
+ {
+--- a/include/crypto/drbg.h
++++ b/include/crypto/drbg.h
+@@ -139,12 +139,10 @@ struct drbg_state {
+ bool pr; /* Prediction resistance enabled? */
+ bool fips_primed; /* Continuous test primed? */
+ unsigned char *prev; /* FIPS 140-2 continuous test value */
+- struct work_struct seed_work; /* asynchronous seeding support */
+ struct crypto_rng *jent;
+ const struct drbg_state_ops *d_ops;
+ const struct drbg_core *core;
+ struct drbg_string test_data;
+- struct notifier_block random_ready;
+ };
+
+ static inline __u8 drbg_statelen(struct drbg_state *drbg)
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Nicolai Stange <nstange@suse.de>
+Date: Thu, 2 Jun 2022 22:22:31 +0200
+Subject: crypto: drbg - move dynamic ->reseed_threshold adjustments to __drbg_seed()
+
+From: Nicolai Stange <nstange@suse.de>
+
+commit 262d83a4290c331cd4f617a457408bdb82fbb738 upstream.
+
+Since commit 42ea507fae1a ("crypto: drbg - reseed often if seedsource is
+degraded"), the maximum seed lifetime represented by ->reseed_threshold
+gets temporarily lowered if the get_random_bytes() source cannot provide
+sufficient entropy yet, as is common during boot, and restored back to
+the original value again once that has changed.
+
+More specifically, if the add_random_ready_callback() invoked from
+drbg_prepare_hrng() in the course of DRBG instantiation does not return
+-EALREADY, that is, if get_random_bytes() has not been fully initialized
+at this point yet, drbg_prepare_hrng() will lower ->reseed_threshold
+to a value of 50. The drbg_async_seed() scheduled from said
+random_ready_callback will eventually restore the original value.
+
+A future patch will replace the random_ready_callback based notification
+mechanism and thus, there will be no add_random_ready_callback() return
+value anymore which could get compared to -EALREADY.
+
+However, there's __drbg_seed() which gets invoked in the course of both,
+the DRBG instantiation as well as the eventual reseeding from
+get_random_bytes() in aforementioned drbg_async_seed(), if any. Moreover,
+it knows about the get_random_bytes() initialization state by the time the
+seed data had been obtained from it: the new_seed_state argument introduced
+with the previous patch would get set to DRBG_SEED_STATE_PARTIAL in case
+get_random_bytes() had not been fully initialized yet and to
+DRBG_SEED_STATE_FULL otherwise. Thus, __drbg_seed() provides a convenient
+alternative for managing that ->reseed_threshold lowering and restoring at
+a central place.
+
+Move all ->reseed_threshold adjustment code from drbg_prepare_hrng() and
+drbg_async_seed() respectively to __drbg_seed(). Make __drbg_seed()
+lower the ->reseed_threshold to 50 in case its new_seed_state argument
+equals DRBG_SEED_STATE_PARTIAL and let it restore the original value
+otherwise.
+
+There is no change in behaviour.
+
+Signed-off-by: Nicolai Stange <nstange@suse.de>
+Reviewed-by: Stephan Müller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/drbg.c | 29 ++++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+--- a/crypto/drbg.c
++++ b/crypto/drbg.c
+@@ -1048,6 +1048,26 @@ static inline int __drbg_seed(struct drb
+ /* 10.1.1.2 / 10.1.1.3 step 5 */
+ drbg->reseed_ctr = 1;
+
++ switch (drbg->seeded) {
++ case DRBG_SEED_STATE_UNSEEDED:
++ /* Impossible, but handle it to silence compiler warnings. */
++ case DRBG_SEED_STATE_PARTIAL:
++ /*
++ * Require frequent reseeds until the seed source is
++ * fully initialized.
++ */
++ drbg->reseed_threshold = 50;
++ break;
++
++ case DRBG_SEED_STATE_FULL:
++ /*
++ * Seed source has become fully initialized, frequent
++ * reseeds no longer required.
++ */
++ drbg->reseed_threshold = drbg_max_requests(drbg);
++ break;
++ }
++
+ return ret;
+ }
+
+@@ -1096,9 +1116,6 @@ static void drbg_async_seed(struct work_
+
+ __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
+
+- if (drbg->seeded == DRBG_SEED_STATE_FULL)
+- drbg->reseed_threshold = drbg_max_requests(drbg);
+-
+ unlock:
+ mutex_unlock(&drbg->drbg_mutex);
+
+@@ -1532,12 +1549,6 @@ static int drbg_prepare_hrng(struct drbg
+ return err;
+ }
+
+- /*
+- * Require frequent reseeds until the seed source is fully
+- * initialized.
+- */
+- drbg->reseed_threshold = 50;
+-
+ return err;
+ }
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Nicolai Stange <nstange@suse.de>
+Date: Thu, 2 Jun 2022 22:22:29 +0200
+Subject: crypto: drbg - prepare for more fine-grained tracking of seeding state
+
+From: Nicolai Stange <nstange@suse.de>
+
+commit ce8ce31b2c5c8b18667784b8c515650c65d57b4e upstream.
+
+There are two different randomness sources the DRBGs are getting seeded
+from, namely the jitterentropy source (if enabled) and get_random_bytes().
+At initial DRBG seeding time during boot, the latter might not have
+collected sufficient entropy for seeding itself yet and thus, the DRBG
+implementation schedules a reseed work from a random_ready_callback once
+that has happened. This is particularly important for the !->pr DRBG
+instances, for which (almost) no further reseeds are getting triggered
+during their lifetime.
+
+Because collecting data from the jitterentropy source is a rather expensive
+operation, the aforementioned asynchronously scheduled reseed work
+restricts itself to get_random_bytes() only. That is, it in some sense
+amends the initial DRBG seed derived from jitterentropy output at full
+(estimated) entropy with fresh randomness obtained from get_random_bytes()
+once that has been seeded with sufficient entropy itself.
+
+With the advent of rng_is_initialized(), there is no real need for doing
+the reseed operation from an asynchronously scheduled work anymore and a
+subsequent patch will make it synchronous by moving it next to related
+logic already present in drbg_generate().
+
+However, for tracking whether a full reseed including the jitterentropy
+source is required or a "partial" reseed involving only get_random_bytes()
+would be sufficient already, the boolean struct drbg_state's ->seeded
+member must become a tristate value.
+
+Prepare for this by introducing the new enum drbg_seed_state and change
+struct drbg_state's ->seeded member's type from bool to that type.
+
+For facilitating review, enum drbg_seed_state is made to only contain
+two members corresponding to the former ->seeded values of false and true
+resp. at this point: DRBG_SEED_STATE_UNSEEDED and DRBG_SEED_STATE_FULL. A
+third one for tracking the intermediate state of "seeded from jitterentropy
+only" will be introduced with a subsequent patch.
+
+There is no change in behaviour at this point.
+
+Signed-off-by: Nicolai Stange <nstange@suse.de>
+Reviewed-by: Stephan Müller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/drbg.c | 19 ++++++++++---------
+ include/crypto/drbg.h | 7 ++++++-
+ 2 files changed, 16 insertions(+), 10 deletions(-)
+
+--- a/crypto/drbg.c
++++ b/crypto/drbg.c
+@@ -1044,7 +1044,7 @@ static inline int __drbg_seed(struct drb
+ if (ret)
+ return ret;
+
+- drbg->seeded = true;
++ drbg->seeded = DRBG_SEED_STATE_FULL;
+ /* 10.1.1.2 / 10.1.1.3 step 5 */
+ drbg->reseed_ctr = 1;
+
+@@ -1089,14 +1089,14 @@ static void drbg_async_seed(struct work_
+ if (ret)
+ goto unlock;
+
+- /* Set seeded to false so that if __drbg_seed fails the
+- * next generate call will trigger a reseed.
++ /* Reset ->seeded so that if __drbg_seed fails the next
++ * generate call will trigger a reseed.
+ */
+- drbg->seeded = false;
++ drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
+
+ __drbg_seed(drbg, &seedlist, true);
+
+- if (drbg->seeded)
++ if (drbg->seeded == DRBG_SEED_STATE_FULL)
+ drbg->reseed_threshold = drbg_max_requests(drbg);
+
+ unlock:
+@@ -1385,13 +1385,14 @@ static int drbg_generate(struct drbg_sta
+ * here. The spec is a bit convoluted here, we make it simpler.
+ */
+ if (drbg->reseed_threshold < drbg->reseed_ctr)
+- drbg->seeded = false;
++ drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
+
+- if (drbg->pr || !drbg->seeded) {
++ if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) {
+ pr_devel("DRBG: reseeding before generation (prediction "
+ "resistance: %s, state %s)\n",
+ drbg->pr ? "true" : "false",
+- drbg->seeded ? "seeded" : "unseeded");
++ (drbg->seeded == DRBG_SEED_STATE_FULL ?
++ "seeded" : "unseeded"));
+ /* 9.3.1 steps 7.1 through 7.3 */
+ len = drbg_seed(drbg, addtl, true);
+ if (len)
+@@ -1576,7 +1577,7 @@ static int drbg_instantiate(struct drbg_
+ if (!drbg->core) {
+ drbg->core = &drbg_cores[coreref];
+ drbg->pr = pr;
+- drbg->seeded = false;
++ drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
+ drbg->reseed_threshold = drbg_max_requests(drbg);
+
+ ret = drbg_alloc_state(drbg);
+--- a/include/crypto/drbg.h
++++ b/include/crypto/drbg.h
+@@ -105,6 +105,11 @@ struct drbg_test_data {
+ struct drbg_string *testentropy; /* TEST PARAMETER: test entropy */
+ };
+
++enum drbg_seed_state {
++ DRBG_SEED_STATE_UNSEEDED,
++ DRBG_SEED_STATE_FULL,
++};
++
+ struct drbg_state {
+ struct mutex drbg_mutex; /* lock around DRBG */
+ unsigned char *V; /* internal state 10.1.1.1 1a) */
+@@ -129,7 +134,7 @@ struct drbg_state {
+ struct completion ctr_completion; /* CTR mode async handler */
+ int ctr_async_err; /* CTR mode async error */
+
+- bool seeded; /* DRBG fully seeded? */
++ enum drbg_seed_state seeded; /* DRBG fully seeded? */
+ bool pr; /* Prediction resistance enabled? */
+ bool fips_primed; /* Continuous test primed? */
+ unsigned char *prev; /* FIPS 140-2 continuous test value */
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Nicolai Stange <nstange@suse.de>
+Date: Thu, 2 Jun 2022 22:22:30 +0200
+Subject: crypto: drbg - track whether DRBG was seeded with !rng_is_initialized()
+
+From: Nicolai Stange <nstange@suse.de>
+
+commit 2bcd25443868aa8863779a6ebc6c9319633025d2 upstream.
+
+Currently, the DRBG implementation schedules asynchronous works from
+random_ready_callbacks for reseeding the DRBG instances with output from
+get_random_bytes() once the latter has sufficient entropy available.
+
+However, as the get_random_bytes() initialization state can get queried by
+means of rng_is_initialized() now, there is no real need for this
+asynchronous reseeding logic anymore and it's better to keep things simple
+by doing it synchronously when needed instead, i.e. from drbg_generate()
+once rng_is_initialized() has flipped to true.
+
+Of course, for this to work, drbg_generate() would need some means by which
+it can tell whether or not rng_is_initialized() has flipped to true since
+the last seeding from get_random_bytes(). Or equivalently, whether or not
+the last seed from get_random_bytes() has happened when
+rng_is_initialized() was still evaluating to false.
+
+As it currently stands, enum drbg_seed_state allows for the representation
+of two different DRBG seeding states: DRBG_SEED_STATE_UNSEEDED and
+DRBG_SEED_STATE_FULL. The former makes drbg_generate() to invoke a full
+reseeding operation involving both, the rather expensive jitterentropy as
+well as the get_random_bytes() randomness sources. The DRBG_SEED_STATE_FULL
+state on the other hand implies that no reseeding at all is required for a
+!->pr DRBG variant.
+
+Introduce the new DRBG_SEED_STATE_PARTIAL state to enum drbg_seed_state for
+representing the condition that a DRBG was being seeded when
+rng_is_initialized() had still been false. In particular, this new state
+implies that
+- the given DRBG instance has been fully seeded from the jitterentropy
+ source (if enabled)
+- and drbg_generate() is supposed to reseed from get_random_bytes()
+ *only* once rng_is_initialized() turns to true.
+
+Up to now, the __drbg_seed() helper used to set the given DRBG instance's
+->seeded state to constant DRBG_SEED_STATE_FULL. Introduce a new argument
+allowing for the specification of the to be written ->seeded value instead.
+Make the first of its two callers, drbg_seed(), determine the appropriate
+value based on rng_is_initialized(). The remaining caller,
+drbg_async_seed(), is known to get invoked only once rng_is_initialized()
+is true, hence let it pass constant DRBG_SEED_STATE_FULL for the new
+argument to __drbg_seed().
+
+There is no change in behaviour, except for that the pr_devel() in
+drbg_generate() would now report "unseeded" for ->pr DRBG instances which
+had last been seeded when rng_is_initialized() was still evaluating to
+false.
+
+Signed-off-by: Nicolai Stange <nstange@suse.de>
+Reviewed-by: Stephan Müller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/drbg.c | 12 ++++++++----
+ include/crypto/drbg.h | 1 +
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/crypto/drbg.c
++++ b/crypto/drbg.c
+@@ -1037,14 +1037,14 @@ static const struct drbg_state_ops drbg_
+ ******************************************************************/
+
+ static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
+- int reseed)
++ int reseed, enum drbg_seed_state new_seed_state)
+ {
+ int ret = drbg->d_ops->update(drbg, seed, reseed);
+
+ if (ret)
+ return ret;
+
+- drbg->seeded = DRBG_SEED_STATE_FULL;
++ drbg->seeded = new_seed_state;
+ /* 10.1.1.2 / 10.1.1.3 step 5 */
+ drbg->reseed_ctr = 1;
+
+@@ -1094,7 +1094,7 @@ static void drbg_async_seed(struct work_
+ */
+ drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
+
+- __drbg_seed(drbg, &seedlist, true);
++ __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
+
+ if (drbg->seeded == DRBG_SEED_STATE_FULL)
+ drbg->reseed_threshold = drbg_max_requests(drbg);
+@@ -1124,6 +1124,7 @@ static int drbg_seed(struct drbg_state *
+ unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
+ struct drbg_string data1;
+ LIST_HEAD(seedlist);
++ enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL;
+
+ /* 9.1 / 9.2 / 9.3.1 step 3 */
+ if (pers && pers->len > (drbg_max_addtl(drbg))) {
+@@ -1151,6 +1152,9 @@ static int drbg_seed(struct drbg_state *
+ BUG_ON((entropylen * 2) > sizeof(entropy));
+
+ /* Get seed from in-kernel /dev/urandom */
++ if (!rng_is_initialized())
++ new_seed_state = DRBG_SEED_STATE_PARTIAL;
++
+ ret = drbg_get_random_bytes(drbg, entropy, entropylen);
+ if (ret)
+ goto out;
+@@ -1207,7 +1211,7 @@ static int drbg_seed(struct drbg_state *
+ memset(drbg->C, 0, drbg_statelen(drbg));
+ }
+
+- ret = __drbg_seed(drbg, &seedlist, reseed);
++ ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state);
+
+ out:
+ memzero_explicit(entropy, entropylen * 2);
+--- a/include/crypto/drbg.h
++++ b/include/crypto/drbg.h
+@@ -107,6 +107,7 @@ struct drbg_test_data {
+
+ enum drbg_seed_state {
+ DRBG_SEED_STATE_UNSEEDED,
++ DRBG_SEED_STATE_PARTIAL, /* Seeded with !rng_is_initialized() */
+ DRBG_SEED_STATE_FULL,
+ };
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Fri, 2 Nov 2018 12:04:45 +0100
+Subject: drivers/char/random.c: constify poolinfo_table
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+commit 26e0854ab3310bbeef1ed404a2c87132fc91f8e1 upstream.
+
+Never modified, might as well be put in .rodata.
+
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -359,7 +359,7 @@ static int random_write_wakeup_bits = 28
+ * polynomial which improves the resulting TGFSR polynomial to be
+ * irreducible, which we have made here.
+ */
+-static struct poolinfo {
++static const struct poolinfo {
+ int poolbitshift, poolwords, poolbytes, poolbits, poolfracbits;
+ #define S(x) ilog2(x)+5, (x), (x)*4, (x)*32, (x) << (ENTROPY_SHIFT+5)
+ int tap1, tap2, tap3, tap4, tap5;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Fri, 2 Nov 2018 12:04:47 +0100
+Subject: drivers/char/random.c: make primary_crng static
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+commit 764ed189c82090c1d85f0e30636156736d8f09a8 upstream.
+
+Since the definition of struct crng_state is private to random.c, and
+primary_crng is neither declared or used elsewhere, there's no reason
+for that symbol to have external linkage.
+
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -415,7 +415,7 @@ struct crng_state {
+ spinlock_t lock;
+ };
+
+-struct crng_state primary_crng = {
++static struct crng_state primary_crng = {
+ .lock = __SPIN_LOCK_UNLOCKED(primary_crng.lock),
+ };
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Thu, 1 Mar 2018 00:22:47 +0100
+Subject: drivers/char/random.c: remove unused dont_count_entropy
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+commit 5e747dd9be54be190dd6ebeebf4a4a01ba765625 upstream.
+
+Ever since "random: kill dead extract_state struct" [1], the
+dont_count_entropy member of struct timer_rand_state has been
+effectively unused. Since it hasn't found a new use in 12 years, it's
+probably safe to finally kill it.
+
+[1] Pre-git, https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/?id=c1c48e61c251f57e7a3f1bf11b3c462b2de9dcb5
+
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 55 +++++++++++++++++++++++---------------------------
+ 1 file changed, 26 insertions(+), 29 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1077,7 +1077,6 @@ static ssize_t extract_crng_user(void __
+ struct timer_rand_state {
+ cycles_t last_time;
+ long last_delta, last_delta2;
+- unsigned dont_count_entropy:1;
+ };
+
+ #define INIT_TIMER_RAND_STATE { INITIAL_JIFFIES, };
+@@ -1141,35 +1140,33 @@ static void add_timer_randomness(struct
+ * We take into account the first, second and third-order deltas
+ * in order to make our estimate.
+ */
++ delta = sample.jiffies - state->last_time;
++ state->last_time = sample.jiffies;
++
++ delta2 = delta - state->last_delta;
++ state->last_delta = delta;
++
++ delta3 = delta2 - state->last_delta2;
++ state->last_delta2 = delta2;
++
++ if (delta < 0)
++ delta = -delta;
++ if (delta2 < 0)
++ delta2 = -delta2;
++ if (delta3 < 0)
++ delta3 = -delta3;
++ if (delta > delta2)
++ delta = delta2;
++ if (delta > delta3)
++ delta = delta3;
++
++ /*
++ * delta is now minimum absolute delta.
++ * Round down by 1 bit on general principles,
++ * and limit entropy entimate to 12 bits.
++ */
++ credit_entropy_bits(r, min_t(int, fls(delta>>1), 11));
+
+- if (!state->dont_count_entropy) {
+- delta = sample.jiffies - state->last_time;
+- state->last_time = sample.jiffies;
+-
+- delta2 = delta - state->last_delta;
+- state->last_delta = delta;
+-
+- delta3 = delta2 - state->last_delta2;
+- state->last_delta2 = delta2;
+-
+- if (delta < 0)
+- delta = -delta;
+- if (delta2 < 0)
+- delta2 = -delta2;
+- if (delta3 < 0)
+- delta3 = -delta3;
+- if (delta > delta2)
+- delta = delta2;
+- if (delta > delta3)
+- delta = delta3;
+-
+- /*
+- * delta is now minimum absolute delta.
+- * Round down by 1 bit on general principles,
+- * and limit entropy entimate to 12 bits.
+- */
+- credit_entropy_bits(r, min_t(int, fls(delta>>1), 11));
+- }
+ preempt_enable();
+ }
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Fri, 2 Nov 2018 12:04:46 +0100
+Subject: drivers/char/random.c: remove unused stuct poolinfo::poolbits
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+commit 3bd0b5bf7dc3ea02070fcbcd682ecf628269e8ef upstream.
+
+This field is never used, might as well remove it.
+
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -295,7 +295,7 @@
+ * To allow fractional bits to be tracked, the entropy_count field is
+ * denominated in units of 1/8th bits.
+ *
+- * 2*(ENTROPY_SHIFT + log2(poolbits)) must <= 31, or the multiply in
++ * 2*(ENTROPY_SHIFT + poolbitshift) must <= 31, or the multiply in
+ * credit_entropy_bits() needs to be 64 bits wide.
+ */
+ #define ENTROPY_SHIFT 3
+@@ -360,8 +360,8 @@ static int random_write_wakeup_bits = 28
+ * irreducible, which we have made here.
+ */
+ static const struct poolinfo {
+- int poolbitshift, poolwords, poolbytes, poolbits, poolfracbits;
+-#define S(x) ilog2(x)+5, (x), (x)*4, (x)*32, (x) << (ENTROPY_SHIFT+5)
++ int poolbitshift, poolwords, poolbytes, poolfracbits;
++#define S(x) ilog2(x)+5, (x), (x)*4, (x) << (ENTROPY_SHIFT+5)
+ int tap1, tap2, tap3, tap4, tap5;
+ } poolinfo_table[] = {
+ /* was: x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 */
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Hsin-Yi Wang <hsinyi@chromium.org>
+Date: Fri, 23 Aug 2019 14:24:51 +0800
+Subject: fdt: add support for rng-seed
+
+From: Hsin-Yi Wang <hsinyi@chromium.org>
+
+commit 428826f5358c922dc378830a1717b682c0823160 upstream.
+
+Introducing a chosen node, rng-seed, which is an entropy that can be
+passed to kernel called very early to increase initial device
+randomness. Bootloader should provide this entropy and the value is
+read from /chosen/rng-seed in DT.
+
+Obtain of_fdt_crc32 for CRC check after early_init_dt_scan_nodes(),
+since early_init_dt_scan_chosen() would modify fdt to erase rng-seed.
+
+Add a new interface add_bootloader_randomness() for rng-seed use case.
+Depends on whether the seed is trustworthy, rng seed would be passed to
+add_hwgenerator_randomness(). Otherwise it would be passed to
+add_device_randomness(). Decision is controlled by kernel config
+RANDOM_TRUST_BOOTLOADER.
+
+Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Reviewed-by: Theodore Ts'o <tytso@mit.edu> # drivers/char/random.c
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/Kconfig | 9 +++++++++
+ drivers/char/random.c | 14 ++++++++++++++
+ drivers/of/fdt.c | 14 ++++++++++++--
+ include/linux/random.h | 1 +
+ 4 files changed, 36 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/Kconfig
++++ b/drivers/char/Kconfig
+@@ -604,3 +604,12 @@ config RANDOM_TRUST_CPU
+ has not installed a hidden back door to compromise the CPU's
+ random number generation facilities. This can also be configured
+ at boot with "random.trust_cpu=on/off".
++
++config RANDOM_TRUST_BOOTLOADER
++ bool "Trust the bootloader to initialize Linux's CRNG"
++ help
++ Some bootloaders can provide entropy to increase the kernel's initial
++ device randomness. Say Y here to assume the entropy provided by the
++ booloader is trustworthy so it will be added to the kernel's entropy
++ pool. Otherwise, say N here so it will be regarded as device input that
++ only mixes the entropy pool.
+\ No newline at end of file
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -2440,3 +2440,17 @@ void add_hwgenerator_randomness(const ch
+ }
+ }
+ EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
++
++/* Handle random seed passed by bootloader.
++ * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise
++ * it would be regarded as device data.
++ * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER.
++ */
++void add_bootloader_randomness(const void *buf, unsigned int size)
++{
++ if (IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER))
++ add_hwgenerator_randomness(buf, size, size * 8);
++ else
++ add_device_randomness(buf, size);
++}
++EXPORT_SYMBOL_GPL(add_bootloader_randomness);
+\ No newline at end of file
+--- a/drivers/of/fdt.c
++++ b/drivers/of/fdt.c
+@@ -27,6 +27,7 @@
+ #include <linux/debugfs.h>
+ #include <linux/serial_core.h>
+ #include <linux/sysfs.h>
++#include <linux/random.h>
+
+ #include <asm/setup.h> /* for COMMAND_LINE_SIZE */
+ #include <asm/page.h>
+@@ -1117,6 +1118,7 @@ int __init early_init_dt_scan_chosen(uns
+ {
+ int l;
+ const char *p;
++ const void *rng_seed;
+
+ pr_debug("search \"chosen\", depth: %d, uname: %s\n", depth, uname);
+
+@@ -1151,6 +1153,14 @@ int __init early_init_dt_scan_chosen(uns
+
+ pr_debug("Command line is: %s\n", (char*)data);
+
++ rng_seed = of_get_flat_dt_prop(node, "rng-seed", &l);
++ if (rng_seed && l > 0) {
++ add_bootloader_randomness(rng_seed, l);
++
++ /* try to clear seed so it won't be found. */
++ fdt_nop_property(initial_boot_params, node, "rng-seed");
++ }
++
+ /* break now */
+ return 1;
+ }
+@@ -1262,8 +1272,6 @@ bool __init early_init_dt_verify(void *p
+
+ /* Setup flat device-tree pointer */
+ initial_boot_params = params;
+- of_fdt_crc32 = crc32_be(~0, initial_boot_params,
+- fdt_totalsize(initial_boot_params));
+ return true;
+ }
+
+@@ -1289,6 +1297,8 @@ bool __init early_init_dt_scan(void *par
+ return false;
+
+ early_init_dt_scan_nodes();
++ of_fdt_crc32 = crc32_be(~0, initial_boot_params,
++ fdt_totalsize(initial_boot_params));
+ return true;
+ }
+
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -19,6 +19,7 @@ struct random_ready_callback {
+ };
+
+ extern void add_device_randomness(const void *, unsigned int);
++extern void add_bootloader_randomness(const void *, unsigned int);
+
+ #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
+ static inline void add_latent_entropy(void)
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 23 Apr 2022 21:11:41 +0200
+Subject: ia64: define get_cycles macro for arch-override
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 57c0900b91d8891ab43f0e6b464d059fda51d102 upstream.
+
+Itanium defines a get_cycles() function, but it does not do the usual
+`#define get_cycles get_cycles` dance, making it impossible for generic
+code to see if an arch-specific function was defined. While the
+get_cycles() ifdef is not currently used, the following timekeeping
+patch in this series will depend on the macro existing (or not existing)
+when defining random_get_entropy().
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/ia64/include/asm/timex.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/ia64/include/asm/timex.h
++++ b/arch/ia64/include/asm/timex.h
+@@ -39,6 +39,7 @@ get_cycles (void)
+ ret = ia64_getreg(_IA64_REG_AR_ITC);
+ return ret;
+ }
++#define get_cycles get_cycles
+
+ extern void ia64_cpu_local_tick (void);
+ extern unsigned long long ia64_native_sched_clock (void);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 5 May 2022 02:20:22 +0200
+Subject: init: call time_init() before rand_initialize()
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit fe222a6ca2d53c38433cba5d3be62a39099e708e upstream.
+
+Currently time_init() is called after rand_initialize(), but
+rand_initialize() makes use of the timer on various platforms, and
+sometimes this timer needs to be initialized by time_init() first. In
+order for random_get_entropy() to not return zero during early boot when
+it's potentially used as an entropy source, reverse the order of these
+two calls. The block doing random initialization was right before
+time_init() before, so changing the order shouldn't have any complicated
+effects.
+
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ init/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/init/main.c
++++ b/init/main.c
+@@ -607,11 +607,13 @@ asmlinkage __visible void __init start_k
+ hrtimers_init();
+ softirq_init();
+ timekeeping_init();
++ time_init();
+
+ /*
+ * For best initial stack canary entropy, prepare it after:
+ * - setup_arch() for any UEFI RNG entropy and boot cmdline access
+ * - timekeeping_init() for ktime entropy used in rand_initialize()
++ * - time_init() for making random_get_entropy() work on some platforms
+ * - rand_initialize() to get any arch-specific entropy like RDRAND
+ * - add_latent_entropy() to get any latent entropy
+ * - adding command line entropy
+@@ -621,7 +623,6 @@ asmlinkage __visible void __init start_k
+ add_device_randomness(command_line, strlen(command_line));
+ boot_init_stack_canary();
+
+- time_init();
+ sched_clock_postinit();
+ printk_safe_init();
+ perf_event_init();
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Tue, 7 May 2019 16:28:15 +0200
+Subject: latent_entropy: avoid build error when plugin cflags are not set
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit 7e756f423af808b6571fed3144747db2ef7fa1c5 upstream.
+
+Some architectures set up CFLAGS for linux decompressor phase from
+scratch and do not include GCC_PLUGINS_CFLAGS. Since "latent_entropy"
+variable declaration is generated by the plugin code itself including
+linux/random.h in decompressor code then would cause a build
+error. E.g. on s390:
+
+In file included from ./include/linux/net.h:22,
+ from ./include/linux/skbuff.h:29,
+ from ./include/linux/if_ether.h:23,
+ from ./arch/s390/include/asm/diag.h:12,
+ from arch/s390/boot/startup.c:8:
+./include/linux/random.h: In function 'add_latent_entropy':
+./include/linux/random.h:26:39: error: 'latent_entropy' undeclared
+(first use in this function); did you mean 'add_latent_entropy'?
+ 26 | add_device_randomness((const void *)&latent_entropy,
+ | ^~~~~~~~~~~~~~
+ | add_latent_entropy
+./include/linux/random.h:26:39: note: each undeclared identifier is
+reported only once for each function it appears in
+
+The build error is triggered by commit a80313ff91ab ("s390/kernel:
+introduce .dma sections") which made it into 5.2 merge window.
+
+To address that avoid using CONFIG_GCC_PLUGIN_LATENT_ENTROPY in
+favour of LATENT_ENTROPY_PLUGIN definition which is defined as a
+part of gcc plugins cflags and hence reflect more accurately when gcc
+plugin is active. Besides that it is also used for similar purpose in
+linux/compiler-gcc.h for latent_entropy attribute definition.
+
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/random.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -20,7 +20,7 @@ struct random_ready_callback {
+
+ extern void add_device_randomness(const void *, unsigned int);
+
+-#if defined(CONFIG_GCC_PLUGIN_LATENT_ENTROPY) && !defined(__CHECKER__)
++#if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
+ static inline void add_latent_entropy(void)
+ {
+ add_device_randomness((const void *)&latent_entropy,
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 11 Jan 2022 14:37:41 +0100
+Subject: lib/crypto: blake2s: move hmac construction into wireguard
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit d8d83d8ab0a453e17e68b3a3bed1f940c34b8646 upstream.
+
+Basically nobody should use blake2s in an HMAC construction; it already
+has a keyed variant. But unfortunately for historical reasons, Noise,
+used by WireGuard, uses HKDF quite strictly, which means we have to use
+this. Because this really shouldn't be used by others, this commit moves
+it into wireguard's noise.c locally, so that kernels that aren't using
+WireGuard don't get this superfluous code baked in. On m68k systems,
+this shaves off ~314 bytes.
+
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+[Jason: for stable, skip the wireguard changes, since this kernel
+ doesn't have wireguard.]
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/crypto/blake2s.h | 3 ---
+ lib/crypto/blake2s-selftest.c | 31 -------------------------------
+ lib/crypto/blake2s.c | 37 -------------------------------------
+ 3 files changed, 71 deletions(-)
+
+--- a/include/crypto/blake2s.h
++++ b/include/crypto/blake2s.h
+@@ -100,7 +100,4 @@ static inline void blake2s(u8 *out, cons
+ blake2s_final(&state, out);
+ }
+
+-void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
+- const size_t keylen);
+-
+ #endif /* BLAKE2S_H */
+--- a/lib/crypto/blake2s-selftest.c
++++ b/lib/crypto/blake2s-selftest.c
+@@ -15,7 +15,6 @@
+ * #include <stdio.h>
+ *
+ * #include <openssl/evp.h>
+- * #include <openssl/hmac.h>
+ *
+ * #define BLAKE2S_TESTVEC_COUNT 256
+ *
+@@ -58,16 +57,6 @@
+ * }
+ * printf("};\n\n");
+ *
+- * printf("static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n");
+- *
+- * HMAC(EVP_blake2s256(), key, sizeof(key), buf, sizeof(buf), hash, NULL);
+- * print_vec(hash, BLAKE2S_OUTBYTES);
+- *
+- * HMAC(EVP_blake2s256(), buf, sizeof(buf), key, sizeof(key), hash, NULL);
+- * print_vec(hash, BLAKE2S_OUTBYTES);
+- *
+- * printf("};\n");
+- *
+ * return 0;
+ *}
+ */
+@@ -554,15 +543,6 @@ static const u8 blake2s_testvecs[][BLAKE
+ 0xd6, 0x98, 0x6b, 0x07, 0x10, 0x65, 0x52, 0x65, },
+ };
+
+-static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
+- { 0xce, 0xe1, 0x57, 0x69, 0x82, 0xdc, 0xbf, 0x43, 0xad, 0x56, 0x4c, 0x70,
+- 0xed, 0x68, 0x16, 0x96, 0xcf, 0xa4, 0x73, 0xe8, 0xe8, 0xfc, 0x32, 0x79,
+- 0x08, 0x0a, 0x75, 0x82, 0xda, 0x3f, 0x05, 0x11, },
+- { 0x77, 0x2f, 0x0c, 0x71, 0x41, 0xf4, 0x4b, 0x2b, 0xb3, 0xc6, 0xb6, 0xf9,
+- 0x60, 0xde, 0xe4, 0x52, 0x38, 0x66, 0xe8, 0xbf, 0x9b, 0x96, 0xc4, 0x9f,
+- 0x60, 0xd9, 0x24, 0x37, 0x99, 0xd6, 0xec, 0x31, },
+-};
+-
+ bool __init blake2s_selftest(void)
+ {
+ u8 key[BLAKE2S_KEY_SIZE];
+@@ -607,16 +587,5 @@ bool __init blake2s_selftest(void)
+ }
+ }
+
+- if (success) {
+- blake2s256_hmac(hash, buf, key, sizeof(buf), sizeof(key));
+- success &= !memcmp(hash, blake2s_hmac_testvecs[0], BLAKE2S_HASH_SIZE);
+-
+- blake2s256_hmac(hash, key, buf, sizeof(key), sizeof(buf));
+- success &= !memcmp(hash, blake2s_hmac_testvecs[1], BLAKE2S_HASH_SIZE);
+-
+- if (!success)
+- pr_err("blake2s256_hmac self-test: FAIL\n");
+- }
+-
+ return success;
+ }
+--- a/lib/crypto/blake2s.c
++++ b/lib/crypto/blake2s.c
+@@ -59,43 +59,6 @@ void blake2s_final(struct blake2s_state
+ }
+ EXPORT_SYMBOL(blake2s_final);
+
+-void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
+- const size_t keylen)
+-{
+- struct blake2s_state state;
+- u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
+- u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
+- int i;
+-
+- if (keylen > BLAKE2S_BLOCK_SIZE) {
+- blake2s_init(&state, BLAKE2S_HASH_SIZE);
+- blake2s_update(&state, key, keylen);
+- blake2s_final(&state, x_key);
+- } else
+- memcpy(x_key, key, keylen);
+-
+- for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
+- x_key[i] ^= 0x36;
+-
+- blake2s_init(&state, BLAKE2S_HASH_SIZE);
+- blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
+- blake2s_update(&state, in, inlen);
+- blake2s_final(&state, i_hash);
+-
+- for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
+- x_key[i] ^= 0x5c ^ 0x36;
+-
+- blake2s_init(&state, BLAKE2S_HASH_SIZE);
+- blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
+- blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
+- blake2s_final(&state, i_hash);
+-
+- memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
+- memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
+- memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
+-}
+-EXPORT_SYMBOL(blake2s256_hmac);
+-
+ static int __init mod_init(void)
+ {
+ if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 11 Jan 2022 18:58:43 +0100
+Subject: lib/crypto: sha1: re-roll loops to reduce code size
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 9a1536b093bb5bf60689021275fd24d513bb8db0 upstream.
+
+With SHA-1 no longer being used for anything performance oriented, and
+also soon to be phased out entirely, we can make up for the space added
+by unrolled BLAKE2s by simply re-rolling SHA-1. Since SHA-1 is so much
+more complex, re-rolling it more or less takes care of the code size
+added by BLAKE2s. And eventually, hopefully we'll see SHA-1 removed
+entirely from most small kernel builds.
+
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: Ard Biesheuvel <ardb@kernel.org>
+Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/sha1.c | 95 ++++++++-----------------------------------------------------
+ 1 file changed, 14 insertions(+), 81 deletions(-)
+
+--- a/lib/sha1.c
++++ b/lib/sha1.c
+@@ -10,6 +10,7 @@
+ #include <linux/export.h>
+ #include <linux/bitops.h>
+ #include <linux/cryptohash.h>
++#include <linux/string.h>
+ #include <asm/unaligned.h>
+
+ /*
+@@ -55,7 +56,8 @@
+ #define SHA_ROUND(t, input, fn, constant, A, B, C, D, E) do { \
+ __u32 TEMP = input(t); setW(t, TEMP); \
+ E += TEMP + rol32(A,5) + (fn) + (constant); \
+- B = ror32(B, 2); } while (0)
++ B = ror32(B, 2); \
++ TEMP = E; E = D; D = C; C = B; B = A; A = TEMP; } while (0)
+
+ #define T_0_15(t, A, B, C, D, E) SHA_ROUND(t, SHA_SRC, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
+ #define T_16_19(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
+@@ -82,6 +84,7 @@
+ void sha_transform(__u32 *digest, const char *data, __u32 *array)
+ {
+ __u32 A, B, C, D, E;
++ unsigned int i = 0;
+
+ A = digest[0];
+ B = digest[1];
+@@ -90,94 +93,24 @@ void sha_transform(__u32 *digest, const
+ E = digest[4];
+
+ /* Round 1 - iterations 0-16 take their input from 'data' */
+- T_0_15( 0, A, B, C, D, E);
+- T_0_15( 1, E, A, B, C, D);
+- T_0_15( 2, D, E, A, B, C);
+- T_0_15( 3, C, D, E, A, B);
+- T_0_15( 4, B, C, D, E, A);
+- T_0_15( 5, A, B, C, D, E);
+- T_0_15( 6, E, A, B, C, D);
+- T_0_15( 7, D, E, A, B, C);
+- T_0_15( 8, C, D, E, A, B);
+- T_0_15( 9, B, C, D, E, A);
+- T_0_15(10, A, B, C, D, E);
+- T_0_15(11, E, A, B, C, D);
+- T_0_15(12, D, E, A, B, C);
+- T_0_15(13, C, D, E, A, B);
+- T_0_15(14, B, C, D, E, A);
+- T_0_15(15, A, B, C, D, E);
++ for (; i < 16; ++i)
++ T_0_15(i, A, B, C, D, E);
+
+ /* Round 1 - tail. Input from 512-bit mixing array */
+- T_16_19(16, E, A, B, C, D);
+- T_16_19(17, D, E, A, B, C);
+- T_16_19(18, C, D, E, A, B);
+- T_16_19(19, B, C, D, E, A);
++ for (; i < 20; ++i)
++ T_16_19(i, A, B, C, D, E);
+
+ /* Round 2 */
+- T_20_39(20, A, B, C, D, E);
+- T_20_39(21, E, A, B, C, D);
+- T_20_39(22, D, E, A, B, C);
+- T_20_39(23, C, D, E, A, B);
+- T_20_39(24, B, C, D, E, A);
+- T_20_39(25, A, B, C, D, E);
+- T_20_39(26, E, A, B, C, D);
+- T_20_39(27, D, E, A, B, C);
+- T_20_39(28, C, D, E, A, B);
+- T_20_39(29, B, C, D, E, A);
+- T_20_39(30, A, B, C, D, E);
+- T_20_39(31, E, A, B, C, D);
+- T_20_39(32, D, E, A, B, C);
+- T_20_39(33, C, D, E, A, B);
+- T_20_39(34, B, C, D, E, A);
+- T_20_39(35, A, B, C, D, E);
+- T_20_39(36, E, A, B, C, D);
+- T_20_39(37, D, E, A, B, C);
+- T_20_39(38, C, D, E, A, B);
+- T_20_39(39, B, C, D, E, A);
++ for (; i < 40; ++i)
++ T_20_39(i, A, B, C, D, E);
+
+ /* Round 3 */
+- T_40_59(40, A, B, C, D, E);
+- T_40_59(41, E, A, B, C, D);
+- T_40_59(42, D, E, A, B, C);
+- T_40_59(43, C, D, E, A, B);
+- T_40_59(44, B, C, D, E, A);
+- T_40_59(45, A, B, C, D, E);
+- T_40_59(46, E, A, B, C, D);
+- T_40_59(47, D, E, A, B, C);
+- T_40_59(48, C, D, E, A, B);
+- T_40_59(49, B, C, D, E, A);
+- T_40_59(50, A, B, C, D, E);
+- T_40_59(51, E, A, B, C, D);
+- T_40_59(52, D, E, A, B, C);
+- T_40_59(53, C, D, E, A, B);
+- T_40_59(54, B, C, D, E, A);
+- T_40_59(55, A, B, C, D, E);
+- T_40_59(56, E, A, B, C, D);
+- T_40_59(57, D, E, A, B, C);
+- T_40_59(58, C, D, E, A, B);
+- T_40_59(59, B, C, D, E, A);
++ for (; i < 60; ++i)
++ T_40_59(i, A, B, C, D, E);
+
+ /* Round 4 */
+- T_60_79(60, A, B, C, D, E);
+- T_60_79(61, E, A, B, C, D);
+- T_60_79(62, D, E, A, B, C);
+- T_60_79(63, C, D, E, A, B);
+- T_60_79(64, B, C, D, E, A);
+- T_60_79(65, A, B, C, D, E);
+- T_60_79(66, E, A, B, C, D);
+- T_60_79(67, D, E, A, B, C);
+- T_60_79(68, C, D, E, A, B);
+- T_60_79(69, B, C, D, E, A);
+- T_60_79(70, A, B, C, D, E);
+- T_60_79(71, E, A, B, C, D);
+- T_60_79(72, D, E, A, B, C);
+- T_60_79(73, C, D, E, A, B);
+- T_60_79(74, B, C, D, E, A);
+- T_60_79(75, A, B, C, D, E);
+- T_60_79(76, E, A, B, C, D);
+- T_60_79(77, D, E, A, B, C);
+- T_60_79(78, C, D, E, A, B);
+- T_60_79(79, B, C, D, E, A);
++ for (; i < 80; ++i)
++ T_60_79(i, A, B, C, D, E);
+
+ digest[0] += A;
+ digest[1] += B;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 10 Jan 2020 14:54:18 +0000
+Subject: linux/random.h: Mark CONFIG_ARCH_RANDOM functions __must_check
+
+From: Richard Henderson <richard.henderson@linaro.org>
+
+commit 904caa6413c87aacbf7d0682da617c39ca18cf1a upstream.
+
+We must not use the pointer output without validating the
+success of the random read.
+
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20200110145422.49141-7-broonie@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/random.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -118,19 +118,19 @@ unsigned long randomize_page(unsigned lo
+ #ifdef CONFIG_ARCH_RANDOM
+ # include <asm/archrandom.h>
+ #else
+-static inline bool arch_get_random_long(unsigned long *v)
++static inline bool __must_check arch_get_random_long(unsigned long *v)
+ {
+ return false;
+ }
+-static inline bool arch_get_random_int(unsigned int *v)
++static inline bool __must_check arch_get_random_int(unsigned int *v)
+ {
+ return false;
+ }
+-static inline bool arch_get_random_seed_long(unsigned long *v)
++static inline bool __must_check arch_get_random_seed_long(unsigned long *v)
+ {
+ return false;
+ }
+-static inline bool arch_get_random_seed_int(unsigned int *v)
++static inline bool __must_check arch_get_random_seed_int(unsigned int *v)
+ {
+ return false;
+ }
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 10 Jan 2020 14:54:16 +0000
+Subject: linux/random.h: Remove arch_has_random, arch_has_random_seed
+
+From: Richard Henderson <richard.henderson@linaro.org>
+
+commit 647f50d5d9d933b644b29c54f13ac52af1b1774d upstream.
+
+The arm64 version of archrandom.h will need to be able to test for
+support and read the random number without preemption, so a separate
+query predicate is not practical.
+
+Since this part of the generic interface is unused, remove it.
+
+Signed-off-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20200110145422.49141-5-broonie@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/random.h | 8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -126,10 +126,6 @@ static inline bool arch_get_random_int(u
+ {
+ return 0;
+ }
+-static inline bool arch_has_random(void)
+-{
+- return 0;
+-}
+ static inline bool arch_get_random_seed_long(unsigned long *v)
+ {
+ return 0;
+@@ -138,10 +134,6 @@ static inline bool arch_get_random_seed_
+ {
+ return 0;
+ }
+-static inline bool arch_has_random_seed(void)
+-{
+- return 0;
+-}
+ #endif
+
+ #endif /* _LINUX_RANDOM_H */
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 10 Jan 2020 14:54:17 +0000
+Subject: linux/random.h: Use false with bool
+
+From: Richard Henderson <richard.henderson@linaro.org>
+
+commit 66f5ae899ada79c0e9a3d8d954f93a72344cd350 upstream.
+
+Keep the generic fallback versions in sync with the other architecture
+specific implementations and use the proper name for false.
+
+Suggested-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20200110145422.49141-6-broonie@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/random.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -120,19 +120,19 @@ unsigned long randomize_page(unsigned lo
+ #else
+ static inline bool arch_get_random_long(unsigned long *v)
+ {
+- return 0;
++ return false;
+ }
+ static inline bool arch_get_random_int(unsigned int *v)
+ {
+- return 0;
++ return false;
+ }
+ static inline bool arch_get_random_seed_long(unsigned long *v)
+ {
+- return 0;
++ return false;
+ }
+ static inline bool arch_get_random_seed_int(unsigned int *v)
+ {
+- return 0;
++ return false;
+ }
+ #endif
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 8 Apr 2022 18:03:13 +0200
+Subject: m68k: use fallback for random_get_entropy() instead of zero
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 0f392c95391f2d708b12971a07edaa7973f9eece upstream.
+
+In the event that random_get_entropy() can't access a cycle counter or
+similar, falling back to returning 0 is really not the best we can do.
+Instead, at least calling random_get_entropy_fallback() would be
+preferable, because that always needs to return _something_, even
+falling back to jiffies eventually. It's not as though
+random_get_entropy_fallback() is super high precision or guaranteed to
+be entropic, but basically anything that's not zero all the time is
+better than returning zero all the time.
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/m68k/include/asm/timex.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/m68k/include/asm/timex.h
++++ b/arch/m68k/include/asm/timex.h
+@@ -35,7 +35,7 @@ static inline unsigned long random_get_e
+ {
+ if (mach_random_get_entropy)
+ return mach_random_get_entropy();
+- return 0;
++ return random_get_entropy_fallback();
+ }
+ #define random_get_entropy random_get_entropy
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 30 Nov 2021 13:43:15 -0500
+Subject: MAINTAINERS: co-maintain random.c
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 58e1100fdc5990b0cc0d4beaf2562a92e621ac7d upstream.
+
+random.c is a bit understaffed, and folks want more prompt reviews. I've
+got the crypto background and the interest to do these reviews, and have
+authored parts of the file already.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ MAINTAINERS | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -11307,6 +11307,7 @@ F: drivers/block/brd.c
+
+ RANDOM NUMBER DRIVER
+ M: "Theodore Ts'o" <tytso@mit.edu>
++M: Jason A. Donenfeld <Jason@zx2c4.com>
+ S: Maintained
+ F: drivers/char/random.c
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 8 Apr 2022 18:03:13 +0200
+Subject: mips: use fallback for random_get_entropy() instead of just c0 random
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 1c99c6a7c3c599a68321b01b9ec243215ede5a68 upstream.
+
+For situations in which we don't have a c0 counter register available,
+we've been falling back to reading the c0 "random" register, which is
+usually bounded by the amount of TLB entries and changes every other
+cycle or so. This means it wraps extremely often. We can do better by
+combining this fast-changing counter with a potentially slower-changing
+counter from random_get_entropy_fallback() in the more significant bits.
+This commit combines the two, taking into account that the changing bits
+are in a different bit position depending on the CPU model. In addition,
+we previously were falling back to 0 for ancient CPUs that Linux does
+not support anyway; remove that dead path entirely.
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Tested-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Acked-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/timex.h | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/arch/mips/include/asm/timex.h
++++ b/arch/mips/include/asm/timex.h
+@@ -76,25 +76,24 @@ static inline cycles_t get_cycles(void)
+ else
+ return 0; /* no usable counter */
+ }
++#define get_cycles get_cycles
+
+ /*
+ * Like get_cycles - but where c0_count is not available we desperately
+ * use c0_random in an attempt to get at least a little bit of entropy.
+- *
+- * R6000 and R6000A neither have a count register nor a random register.
+- * That leaves no entropy source in the CPU itself.
+ */
+ static inline unsigned long random_get_entropy(void)
+ {
+- unsigned int prid = read_c0_prid();
+- unsigned int imp = prid & PRID_IMP_MASK;
++ unsigned int c0_random;
+
+- if (can_use_mips_counter(prid))
++ if (can_use_mips_counter(read_c0_prid()))
+ return read_c0_count();
+- else if (likely(imp != PRID_IMP_R6000 && imp != PRID_IMP_R6000A))
+- return read_c0_random();
++
++ if (cpu_has_3kex)
++ c0_random = (read_c0_random() >> 8) & 0x3f;
+ else
+- return 0; /* no usable register */
++ c0_random = read_c0_random() & 0x3f;
++ return (random_get_entropy_fallback() << 6) | (0x3f - c0_random);
+ }
+ #define random_get_entropy random_get_entropy
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 8 Apr 2022 18:03:13 +0200
+Subject: nios2: use fallback for random_get_entropy() instead of zero
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit c04e72700f2293013dab40208e809369378f224c upstream.
+
+In the event that random_get_entropy() can't access a cycle counter or
+similar, falling back to returning 0 is really not the best we can do.
+Instead, at least calling random_get_entropy_fallback() would be
+preferable, because that always needs to return _something_, even
+falling back to jiffies eventually. It's not as though
+random_get_entropy_fallback() is super high precision or guaranteed to
+be entropic, but basically anything that's not zero all the time is
+better than returning zero all the time.
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/nios2/include/asm/timex.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/nios2/include/asm/timex.h
++++ b/arch/nios2/include/asm/timex.h
+@@ -20,5 +20,8 @@
+ typedef unsigned long cycles_t;
+
+ extern cycles_t get_cycles(void);
++#define get_cycles get_cycles
++
++#define random_get_entropy() (((unsigned long)get_cycles()) ?: random_get_entropy_fallback())
+
+ #endif
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 23 Apr 2022 21:11:41 +0200
+Subject: parisc: define get_cycles macro for arch-override
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 8865bbe6ba1120e67f72201b7003a16202cd42be upstream.
+
+PA-RISC defines a get_cycles() function, but it does not do the usual
+`#define get_cycles get_cycles` dance, making it impossible for generic
+code to see if an arch-specific function was defined. While the
+get_cycles() ifdef is not currently used, the following timekeeping
+patch in this series will depend on the macro existing (or not existing)
+when defining random_get_entropy().
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/asm/timex.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/include/asm/timex.h
++++ b/arch/parisc/include/asm/timex.h
+@@ -12,9 +12,10 @@
+
+ typedef unsigned long cycles_t;
+
+-static inline cycles_t get_cycles (void)
++static inline cycles_t get_cycles(void)
+ {
+ return mfctl(16);
+ }
++#define get_cycles get_cycles
+
+ #endif
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 23 Apr 2022 21:11:41 +0200
+Subject: powerpc: define get_cycles macro for arch-override
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 408835832158df0357e18e96da7f2d1ed6b80e7f upstream.
+
+PowerPC defines a get_cycles() function, but it does not do the usual
+`#define get_cycles get_cycles` dance, making it impossible for generic
+code to see if an arch-specific function was defined. While the
+get_cycles() ifdef is not currently used, the following timekeeping
+patch in this series will depend on the macro existing (or not existing)
+when defining random_get_entropy().
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Benjamin Herrenschmidt <benh@ozlabs.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/timex.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/include/asm/timex.h
++++ b/arch/powerpc/include/asm/timex.h
+@@ -50,6 +50,7 @@ static inline cycles_t get_cycles(void)
+ return ret;
+ #endif
+ }
++#define get_cycles get_cycles
+
+ #endif /* __KERNEL__ */
+ #endif /* _ASM_POWERPC_TIMEX_H */
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 10 Jan 2020 14:54:14 +0000
+Subject: powerpc: Remove arch_has_random, arch_has_random_seed
+
+From: Richard Henderson <richard.henderson@linaro.org>
+
+commit cbac004995a0ce8453bdc555fab579e2bdb842a6 upstream.
+
+These symbols are currently part of the generic archrandom.h
+interface, but are currently unused and can be removed.
+
+Signed-off-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20200110145422.49141-3-broonie@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/archrandom.h | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+--- a/arch/powerpc/include/asm/archrandom.h
++++ b/arch/powerpc/include/asm/archrandom.h
+@@ -34,16 +34,6 @@ static inline int arch_get_random_seed_i
+
+ return rc;
+ }
+-
+-static inline int arch_has_random(void)
+-{
+- return 0;
+-}
+-
+-static inline int arch_has_random_seed(void)
+-{
+- return !!ppc_md.get_random_seed;
+-}
+ #endif /* CONFIG_ARCH_RANDOM */
+
+ #ifdef CONFIG_PPC_POWERNV
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 10 Jan 2020 14:54:20 +0000
+Subject: powerpc: Use bool in archrandom.h
+
+From: Richard Henderson <richard.henderson@linaro.org>
+
+commit 98dcfce69729f9ce0fb14f96a39bbdba21429597 upstream.
+
+The generic interface uses bool not int; match that.
+
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20200110145422.49141-9-broonie@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/archrandom.h | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/arch/powerpc/include/asm/archrandom.h
++++ b/arch/powerpc/include/asm/archrandom.h
+@@ -6,27 +6,28 @@
+
+ #include <asm/machdep.h>
+
+-static inline int arch_get_random_long(unsigned long *v)
++static inline bool arch_get_random_long(unsigned long *v)
+ {
+- return 0;
++ return false;
+ }
+
+-static inline int arch_get_random_int(unsigned int *v)
++static inline bool arch_get_random_int(unsigned int *v)
+ {
+- return 0;
++ return false;
+ }
+
+-static inline int arch_get_random_seed_long(unsigned long *v)
++static inline bool arch_get_random_seed_long(unsigned long *v)
+ {
+ if (ppc_md.get_random_seed)
+ return ppc_md.get_random_seed(v);
+
+- return 0;
++ return false;
+ }
+-static inline int arch_get_random_seed_int(unsigned int *v)
++
++static inline bool arch_get_random_seed_int(unsigned int *v)
+ {
+ unsigned long val;
+- int rc;
++ bool rc;
+
+ rc = arch_get_random_seed_long(&val);
+ if (rc)
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 9 Feb 2022 01:56:35 +0100
+Subject: random: absorb fast pool into input pool after fast load
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit c30c575db4858f0bbe5e315ff2e529c782f33a1f upstream.
+
+During crng_init == 0, we never credit entropy in add_interrupt_
+randomness(), but instead dump it directly into the primary_crng. That's
+fine, except for the fact that we then wind up throwing away that
+entropy later when we switch to extracting from the input pool and
+xoring into (and later in this series overwriting) the primary_crng key.
+The two other early init sites -- add_hwgenerator_randomness()'s use
+crng_fast_load() and add_device_ randomness()'s use of crng_slow_load()
+-- always additionally give their inputs to the input pool. But not
+add_interrupt_randomness().
+
+This commit fixes that shortcoming by calling mix_pool_bytes() after
+crng_fast_load() in add_interrupt_randomness(). That's partially
+verboten on PREEMPT_RT, where it implies taking spinlock_t from an IRQ
+handler. But this also only happens during early boot and then never
+again after that. Plus it's a trylock so it has the same considerations
+as calling crng_fast_load(), which we're already using.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Suggested-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 407 +++++++++++++++++++++++++++++---------------------
+ 1 file changed, 237 insertions(+), 170 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -67,63 +67,19 @@
+ * Exported interfaces ---- kernel output
+ * --------------------------------------
+ *
+- * The primary kernel interface is
++ * The primary kernel interfaces are:
+ *
+ * void get_random_bytes(void *buf, int nbytes);
+- *
+- * This interface will return the requested number of random bytes,
+- * and place it in the requested buffer. This is equivalent to a
+- * read from /dev/urandom.
+- *
+- * For less critical applications, there are the functions:
+- *
+ * u32 get_random_u32()
+ * u64 get_random_u64()
+ * unsigned int get_random_int()
+ * unsigned long get_random_long()
+ *
+- * These are produced by a cryptographic RNG seeded from get_random_bytes,
+- * and so do not deplete the entropy pool as much. These are recommended
+- * for most in-kernel operations *if the result is going to be stored in
+- * the kernel*.
+- *
+- * Specifically, the get_random_int() family do not attempt to do
+- * "anti-backtracking". If you capture the state of the kernel (e.g.
+- * by snapshotting the VM), you can figure out previous get_random_int()
+- * return values. But if the value is stored in the kernel anyway,
+- * this is not a problem.
+- *
+- * It *is* safe to expose get_random_int() output to attackers (e.g. as
+- * network cookies); given outputs 1..n, it's not feasible to predict
+- * outputs 0 or n+1. The only concern is an attacker who breaks into
+- * the kernel later; the get_random_int() engine is not reseeded as
+- * often as the get_random_bytes() one.
+- *
+- * get_random_bytes() is needed for keys that need to stay secret after
+- * they are erased from the kernel. For example, any key that will
+- * be wrapped and stored encrypted. And session encryption keys: we'd
+- * like to know that after the session is closed and the keys erased,
+- * the plaintext is unrecoverable to someone who recorded the ciphertext.
+- *
+- * But for network ports/cookies, stack canaries, PRNG seeds, address
+- * space layout randomization, session *authentication* keys, or other
+- * applications where the sensitive data is stored in the kernel in
+- * plaintext for as long as it's sensitive, the get_random_int() family
+- * is just fine.
+- *
+- * Consider ASLR. We want to keep the address space secret from an
+- * outside attacker while the process is running, but once the address
+- * space is torn down, it's of no use to an attacker any more. And it's
+- * stored in kernel data structures as long as it's alive, so worrying
+- * about an attacker's ability to extrapolate it from the get_random_int()
+- * CRNG is silly.
+- *
+- * Even some cryptographic keys are safe to generate with get_random_int().
+- * In particular, keys for SipHash are generally fine. Here, knowledge
+- * of the key authorizes you to do something to a kernel object (inject
+- * packets to a network connection, or flood a hash table), and the
+- * key is stored with the object being protected. Once it goes away,
+- * we no longer care if anyone knows the key.
++ * These interfaces will return the requested number of random bytes
++ * into the given buffer or as a return value. This is equivalent to a
++ * read from /dev/urandom. The get_random_{u32,u64,int,long}() family
++ * of functions may be higher performance for one-off random integers,
++ * because they do a bit of buffering.
+ *
+ * prandom_u32()
+ * -------------
+@@ -300,20 +256,6 @@ static struct fasync_struct *fasync;
+ static DEFINE_SPINLOCK(random_ready_list_lock);
+ static LIST_HEAD(random_ready_list);
+
+-struct crng_state {
+- u32 state[16];
+- unsigned long init_time;
+- spinlock_t lock;
+-};
+-
+-static struct crng_state primary_crng = {
+- .lock = __SPIN_LOCK_UNLOCKED(primary_crng.lock),
+- .state[0] = CHACHA_CONSTANT_EXPA,
+- .state[1] = CHACHA_CONSTANT_ND_3,
+- .state[2] = CHACHA_CONSTANT_2_BY,
+- .state[3] = CHACHA_CONSTANT_TE_K,
+-};
+-
+ /*
+ * crng_init = 0 --> Uninitialized
+ * 1 --> Initialized
+@@ -325,9 +267,6 @@ static struct crng_state primary_crng =
+ static int crng_init = 0;
+ #define crng_ready() (likely(crng_init > 1))
+ static int crng_init_cnt = 0;
+-#define CRNG_INIT_CNT_THRESH (2 * CHACHA20_KEY_SIZE)
+-static void extract_crng(u8 out[CHACHA20_BLOCK_SIZE]);
+-static void crng_backtrack_protect(u8 tmp[CHACHA20_BLOCK_SIZE], int used);
+ static void process_random_ready_list(void);
+ static void _get_random_bytes(void *buf, int nbytes);
+
+@@ -470,7 +409,28 @@ static void credit_entropy_bits(int nbit
+ *
+ *********************************************************************/
+
+-#define CRNG_RESEED_INTERVAL (300 * HZ)
++enum {
++ CRNG_RESEED_INTERVAL = 300 * HZ,
++ CRNG_INIT_CNT_THRESH = 2 * CHACHA20_KEY_SIZE
++};
++
++static struct {
++ u8 key[CHACHA20_KEY_SIZE] __aligned(__alignof__(long));
++ unsigned long birth;
++ unsigned long generation;
++ spinlock_t lock;
++} base_crng = {
++ .lock = __SPIN_LOCK_UNLOCKED(base_crng.lock)
++};
++
++struct crng {
++ u8 key[CHACHA20_KEY_SIZE];
++ unsigned long generation;
++};
++
++static DEFINE_PER_CPU(struct crng, crngs) = {
++ .generation = ULONG_MAX
++};
+
+ static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
+
+@@ -487,22 +447,22 @@ static size_t crng_fast_load(const u8 *c
+ u8 *p;
+ size_t ret = 0;
+
+- if (!spin_trylock_irqsave(&primary_crng.lock, flags))
++ if (!spin_trylock_irqsave(&base_crng.lock, flags))
+ return 0;
+ if (crng_init != 0) {
+- spin_unlock_irqrestore(&primary_crng.lock, flags);
++ spin_unlock_irqrestore(&base_crng.lock, flags);
+ return 0;
+ }
+- p = (u8 *)&primary_crng.state[4];
++ p = base_crng.key;
+ while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) {
+- p[crng_init_cnt % CHACHA20_KEY_SIZE] ^= *cp;
++ p[crng_init_cnt % sizeof(base_crng.key)] ^= *cp;
+ cp++; crng_init_cnt++; len--; ret++;
+ }
+ if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
+ invalidate_batched_entropy();
+ crng_init = 1;
+ }
+- spin_unlock_irqrestore(&primary_crng.lock, flags);
++ spin_unlock_irqrestore(&base_crng.lock, flags);
+ if (crng_init == 1)
+ pr_notice("fast init done\n");
+ return ret;
+@@ -527,14 +487,14 @@ static int crng_slow_load(const u8 *cp,
+ unsigned long flags;
+ static u8 lfsr = 1;
+ u8 tmp;
+- unsigned int i, max = CHACHA20_KEY_SIZE;
++ unsigned int i, max = sizeof(base_crng.key);
+ const u8 *src_buf = cp;
+- u8 *dest_buf = (u8 *)&primary_crng.state[4];
++ u8 *dest_buf = base_crng.key;
+
+- if (!spin_trylock_irqsave(&primary_crng.lock, flags))
++ if (!spin_trylock_irqsave(&base_crng.lock, flags))
+ return 0;
+ if (crng_init != 0) {
+- spin_unlock_irqrestore(&primary_crng.lock, flags);
++ spin_unlock_irqrestore(&base_crng.lock, flags);
+ return 0;
+ }
+ if (len > max)
+@@ -545,38 +505,50 @@ static int crng_slow_load(const u8 *cp,
+ lfsr >>= 1;
+ if (tmp & 1)
+ lfsr ^= 0xE1;
+- tmp = dest_buf[i % CHACHA20_KEY_SIZE];
+- dest_buf[i % CHACHA20_KEY_SIZE] ^= src_buf[i % len] ^ lfsr;
++ tmp = dest_buf[i % sizeof(base_crng.key)];
++ dest_buf[i % sizeof(base_crng.key)] ^= src_buf[i % len] ^ lfsr;
+ lfsr += (tmp << 3) | (tmp >> 5);
+ }
+- spin_unlock_irqrestore(&primary_crng.lock, flags);
++ spin_unlock_irqrestore(&base_crng.lock, flags);
+ return 1;
+ }
+
+ static void crng_reseed(void)
+ {
+ unsigned long flags;
+- int i, entropy_count;
+- union {
+- u8 block[CHACHA20_BLOCK_SIZE];
+- u32 key[8];
+- } buf;
++ int entropy_count;
++ unsigned long next_gen;
++ u8 key[CHACHA20_KEY_SIZE];
+
++ /*
++ * First we make sure we have POOL_MIN_BITS of entropy in the pool,
++ * and then we drain all of it. Only then can we extract a new key.
++ */
+ do {
+ entropy_count = READ_ONCE(input_pool.entropy_count);
+ if (entropy_count < POOL_MIN_BITS)
+ return;
+ } while (cmpxchg(&input_pool.entropy_count, entropy_count, 0) != entropy_count);
+- extract_entropy(buf.key, sizeof(buf.key));
++ extract_entropy(key, sizeof(key));
+ wake_up_interruptible(&random_write_wait);
+ kill_fasync(&fasync, SIGIO, POLL_OUT);
+
+- spin_lock_irqsave(&primary_crng.lock, flags);
+- for (i = 0; i < 8; i++)
+- primary_crng.state[i + 4] ^= buf.key[i];
+- memzero_explicit(&buf, sizeof(buf));
+- WRITE_ONCE(primary_crng.init_time, jiffies);
+- spin_unlock_irqrestore(&primary_crng.lock, flags);
++ /*
++ * We copy the new key into the base_crng, overwriting the old one,
++ * and update the generation counter. We avoid hitting ULONG_MAX,
++ * because the per-cpu crngs are initialized to ULONG_MAX, so this
++ * forces new CPUs that come online to always initialize.
++ */
++ spin_lock_irqsave(&base_crng.lock, flags);
++ memcpy(base_crng.key, key, sizeof(base_crng.key));
++ next_gen = base_crng.generation + 1;
++ if (next_gen == ULONG_MAX)
++ ++next_gen;
++ WRITE_ONCE(base_crng.generation, next_gen);
++ WRITE_ONCE(base_crng.birth, jiffies);
++ spin_unlock_irqrestore(&base_crng.lock, flags);
++ memzero_explicit(key, sizeof(key));
++
+ if (crng_init < 2) {
+ invalidate_batched_entropy();
+ crng_init = 2;
+@@ -597,77 +569,143 @@ static void crng_reseed(void)
+ }
+ }
+
+-static void extract_crng(u8 out[CHACHA20_BLOCK_SIZE])
++/*
++ * The general form here is based on a "fast key erasure RNG" from
++ * <https://blog.cr.yp.to/20170723-random.html>. It generates a ChaCha
++ * block using the provided key, and then immediately overwites that
++ * key with half the block. It returns the resultant ChaCha state to the
++ * user, along with the second half of the block containing 32 bytes of
++ * random data that may be used; random_data_len may not be greater than
++ * 32.
++ */
++static void crng_fast_key_erasure(u8 key[CHACHA20_KEY_SIZE],
++ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)],
++ u8 *random_data, size_t random_data_len)
+ {
+- unsigned long flags, init_time;
++ u8 first_block[CHACHA20_BLOCK_SIZE];
+
+- if (crng_ready()) {
+- init_time = READ_ONCE(primary_crng.init_time);
+- if (time_after(jiffies, init_time + CRNG_RESEED_INTERVAL))
+- crng_reseed();
+- }
+- spin_lock_irqsave(&primary_crng.lock, flags);
+- chacha20_block(&primary_crng.state[0], out);
+- if (primary_crng.state[12] == 0)
+- primary_crng.state[13]++;
+- spin_unlock_irqrestore(&primary_crng.lock, flags);
++ BUG_ON(random_data_len > 32);
++
++ chacha_init_consts(chacha_state);
++ memcpy(&chacha_state[4], key, CHACHA20_KEY_SIZE);
++ memset(&chacha_state[12], 0, sizeof(u32) * 4);
++ chacha20_block(chacha_state, first_block);
++
++ memcpy(key, first_block, CHACHA20_KEY_SIZE);
++ memcpy(random_data, first_block + CHACHA20_KEY_SIZE, random_data_len);
++ memzero_explicit(first_block, sizeof(first_block));
+ }
+
+ /*
+- * Use the leftover bytes from the CRNG block output (if there is
+- * enough) to mutate the CRNG key to provide backtracking protection.
++ * This function returns a ChaCha state that you may use for generating
++ * random data. It also returns up to 32 bytes on its own of random data
++ * that may be used; random_data_len may not be greater than 32.
+ */
+-static void crng_backtrack_protect(u8 tmp[CHACHA20_BLOCK_SIZE], int used)
++static void crng_make_state(u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)],
++ u8 *random_data, size_t random_data_len)
+ {
+ unsigned long flags;
+- u32 *s, *d;
+- int i;
++ struct crng *crng;
++
++ BUG_ON(random_data_len > 32);
++
++ /*
++ * For the fast path, we check whether we're ready, unlocked first, and
++ * then re-check once locked later. In the case where we're really not
++ * ready, we do fast key erasure with the base_crng directly, because
++ * this is what crng_{fast,slow}_load mutate during early init.
++ */
++ if (unlikely(!crng_ready())) {
++ bool ready;
++
++ spin_lock_irqsave(&base_crng.lock, flags);
++ ready = crng_ready();
++ if (!ready)
++ crng_fast_key_erasure(base_crng.key, chacha_state,
++ random_data, random_data_len);
++ spin_unlock_irqrestore(&base_crng.lock, flags);
++ if (!ready)
++ return;
++ }
++
++ /*
++ * If the base_crng is more than 5 minutes old, we reseed, which
++ * in turn bumps the generation counter that we check below.
++ */
++ if (unlikely(time_after(jiffies, READ_ONCE(base_crng.birth) + CRNG_RESEED_INTERVAL)))
++ crng_reseed();
++
++ local_irq_save(flags);
++ crng = raw_cpu_ptr(&crngs);
++
++ /*
++ * If our per-cpu crng is older than the base_crng, then it means
++ * somebody reseeded the base_crng. In that case, we do fast key
++ * erasure on the base_crng, and use its output as the new key
++ * for our per-cpu crng. This brings us up to date with base_crng.
++ */
++ if (unlikely(crng->generation != READ_ONCE(base_crng.generation))) {
++ spin_lock(&base_crng.lock);
++ crng_fast_key_erasure(base_crng.key, chacha_state,
++ crng->key, sizeof(crng->key));
++ crng->generation = base_crng.generation;
++ spin_unlock(&base_crng.lock);
++ }
++
++ /*
++ * Finally, when we've made it this far, our per-cpu crng has an up
++ * to date key, and we can do fast key erasure with it to produce
++ * some random data and a ChaCha state for the caller. All other
++ * branches of this function are "unlikely", so most of the time we
++ * should wind up here immediately.
++ */
++ crng_fast_key_erasure(crng->key, chacha_state, random_data, random_data_len);
++ local_irq_restore(flags);
++}
++
++static ssize_t get_random_bytes_user(void __user *buf, size_t nbytes)
++{
++ bool large_request = nbytes > 256;
++ ssize_t ret = 0, len;
++ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)];
++ u8 output[CHACHA20_BLOCK_SIZE];
++
++ if (!nbytes)
++ return 0;
+
+- used = round_up(used, sizeof(u32));
+- if (used + CHACHA20_KEY_SIZE > CHACHA20_BLOCK_SIZE) {
+- extract_crng(tmp);
+- used = 0;
+- }
+- spin_lock_irqsave(&primary_crng.lock, flags);
+- s = (u32 *)&tmp[used];
+- d = &primary_crng.state[4];
+- for (i = 0; i < 8; i++)
+- *d++ ^= *s++;
+- spin_unlock_irqrestore(&primary_crng.lock, flags);
+-}
+-
+-static ssize_t extract_crng_user(void __user *buf, size_t nbytes)
+-{
+- ssize_t ret = 0, i = CHACHA20_BLOCK_SIZE;
+- u8 tmp[CHACHA20_BLOCK_SIZE] __aligned(4);
+- int large_request = (nbytes > 256);
++ len = min_t(ssize_t, 32, nbytes);
++ crng_make_state(chacha_state, output, len);
++
++ if (copy_to_user(buf, output, len))
++ return -EFAULT;
++ nbytes -= len;
++ buf += len;
++ ret += len;
+
+ while (nbytes) {
+ if (large_request && need_resched()) {
+- if (signal_pending(current)) {
+- if (ret == 0)
+- ret = -ERESTARTSYS;
++ if (signal_pending(current))
+ break;
+- }
+ schedule();
+ }
+
+- extract_crng(tmp);
+- i = min_t(int, nbytes, CHACHA20_BLOCK_SIZE);
+- if (copy_to_user(buf, tmp, i)) {
++ chacha20_block(chacha_state, output);
++ if (unlikely(chacha_state[12] == 0))
++ ++chacha_state[13];
++
++ len = min_t(ssize_t, nbytes, CHACHA20_BLOCK_SIZE);
++ if (copy_to_user(buf, output, len)) {
+ ret = -EFAULT;
+ break;
+ }
+
+- nbytes -= i;
+- buf += i;
+- ret += i;
++ nbytes -= len;
++ buf += len;
++ ret += len;
+ }
+- crng_backtrack_protect(tmp, i);
+-
+- /* Wipe data just written to memory */
+- memzero_explicit(tmp, sizeof(tmp));
+
++ memzero_explicit(chacha_state, sizeof(chacha_state));
++ memzero_explicit(output, sizeof(output));
+ return ret;
+ }
+
+@@ -850,6 +888,10 @@ void add_interrupt_randomness(int irq)
+ crng_fast_load((u8 *)fast_pool->pool, sizeof(fast_pool->pool)) > 0) {
+ fast_pool->count = 0;
+ fast_pool->last = now;
++ if (spin_trylock(&input_pool.lock)) {
++ _mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool));
++ spin_unlock(&input_pool.lock);
++ }
+ }
+ return;
+ }
+@@ -972,23 +1014,36 @@ static void _warn_unseeded_randomness(co
+ */
+ static void _get_random_bytes(void *buf, int nbytes)
+ {
+- u8 tmp[CHACHA20_BLOCK_SIZE] __aligned(4);
++ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)];
++ u8 tmp[CHACHA20_BLOCK_SIZE];
++ ssize_t len;
+
+ trace_get_random_bytes(nbytes, _RET_IP_);
+
+- while (nbytes >= CHACHA20_BLOCK_SIZE) {
+- extract_crng(buf);
+- buf += CHACHA20_BLOCK_SIZE;
++ if (!nbytes)
++ return;
++
++ len = min_t(ssize_t, 32, nbytes);
++ crng_make_state(chacha_state, buf, len);
++ nbytes -= len;
++ buf += len;
++
++ while (nbytes) {
++ if (nbytes < CHACHA20_BLOCK_SIZE) {
++ chacha20_block(chacha_state, tmp);
++ memcpy(buf, tmp, nbytes);
++ memzero_explicit(tmp, sizeof(tmp));
++ break;
++ }
++
++ chacha20_block(chacha_state, buf);
++ if (unlikely(chacha_state[12] == 0))
++ ++chacha_state[13];
+ nbytes -= CHACHA20_BLOCK_SIZE;
++ buf += CHACHA20_BLOCK_SIZE;
+ }
+
+- if (nbytes > 0) {
+- extract_crng(tmp);
+- memcpy(buf, tmp, nbytes);
+- crng_backtrack_protect(tmp, nbytes);
+- } else
+- crng_backtrack_protect(tmp, CHACHA20_BLOCK_SIZE);
+- memzero_explicit(tmp, sizeof(tmp));
++ memzero_explicit(chacha_state, sizeof(chacha_state));
+ }
+
+ void get_random_bytes(void *buf, int nbytes)
+@@ -1219,13 +1274,12 @@ int __init rand_initialize(void)
+ mix_pool_bytes(&now, sizeof(now));
+ mix_pool_bytes(utsname(), sizeof(*(utsname())));
+
+- extract_entropy(&primary_crng.state[4], sizeof(u32) * 12);
++ extract_entropy(base_crng.key, sizeof(base_crng.key));
+ if (arch_init && trust_cpu && crng_init < 2) {
+ invalidate_batched_entropy();
+ crng_init = 2;
+ pr_notice("crng init done (trusting CPU's manufacturer)\n");
+ }
+- primary_crng.init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+
+ if (ratelimit_disable) {
+ urandom_warning.interval = 0;
+@@ -1257,7 +1311,7 @@ static ssize_t urandom_read_nowarn(struc
+ int ret;
+
+ nbytes = min_t(size_t, nbytes, INT_MAX >> 6);
+- ret = extract_crng_user(buf, nbytes);
++ ret = get_random_bytes_user(buf, nbytes);
+ trace_urandom_read(8 * nbytes, 0, input_pool.entropy_count);
+ return ret;
+ }
+@@ -1561,8 +1615,15 @@ static atomic_t batch_generation = ATOMI
+
+ struct batched_entropy {
+ union {
+- u64 entropy_u64[CHACHA20_BLOCK_SIZE / sizeof(u64)];
+- u32 entropy_u32[CHACHA20_BLOCK_SIZE / sizeof(u32)];
++ /*
++ * We make this 1.5x a ChaCha block, so that we get the
++ * remaining 32 bytes from fast key erasure, plus one full
++ * block from the detached ChaCha state. We can increase
++ * the size of this later if needed so long as we keep the
++ * formula of (integer_blocks + 0.5) * CHACHA20_BLOCK_SIZE.
++ */
++ u64 entropy_u64[CHACHA20_BLOCK_SIZE * 3 / (2 * sizeof(u64))];
++ u32 entropy_u32[CHACHA20_BLOCK_SIZE * 3 / (2 * sizeof(u32))];
+ };
+ unsigned int position;
+ int generation;
+@@ -1570,13 +1631,13 @@ struct batched_entropy {
+
+ /*
+ * Get a random word for internal kernel use only. The quality of the random
+- * number is good as /dev/urandom, but there is no backtrack protection, with
+- * the goal of being quite fast and not depleting entropy. In order to ensure
+- * that the randomness provided by this function is okay, the function
+- * wait_for_random_bytes() should be called and return 0 at least once at any
+- * point prior.
++ * number is good as /dev/urandom. In order to ensure that the randomness
++ * provided by this function is okay, the function wait_for_random_bytes()
++ * should be called and return 0 at least once at any point prior.
+ */
+-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64);
++static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = {
++ .position = UINT_MAX
++};
+
+ u64 get_random_u64(void)
+ {
+@@ -1592,20 +1653,24 @@ u64 get_random_u64(void)
+ batch = raw_cpu_ptr(&batched_entropy_u64);
+
+ next_gen = atomic_read(&batch_generation);
+- if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0 ||
++ if (batch->position >= ARRAY_SIZE(batch->entropy_u64) ||
+ next_gen != batch->generation) {
+- extract_crng((u8 *)batch->entropy_u64);
++ _get_random_bytes(batch->entropy_u64, sizeof(batch->entropy_u64));
+ batch->position = 0;
+ batch->generation = next_gen;
+ }
+
+- ret = batch->entropy_u64[batch->position++];
++ ret = batch->entropy_u64[batch->position];
++ batch->entropy_u64[batch->position] = 0;
++ ++batch->position;
+ local_irq_restore(flags);
+ return ret;
+ }
+ EXPORT_SYMBOL(get_random_u64);
+
+-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32);
++static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = {
++ .position = UINT_MAX
++};
+
+ u32 get_random_u32(void)
+ {
+@@ -1621,14 +1686,16 @@ u32 get_random_u32(void)
+ batch = raw_cpu_ptr(&batched_entropy_u32);
+
+ next_gen = atomic_read(&batch_generation);
+- if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0 ||
++ if (batch->position >= ARRAY_SIZE(batch->entropy_u32) ||
+ next_gen != batch->generation) {
+- extract_crng((u8 *)batch->entropy_u32);
++ _get_random_bytes(batch->entropy_u32, sizeof(batch->entropy_u32));
+ batch->position = 0;
+ batch->generation = next_gen;
+ }
+
+- ret = batch->entropy_u32[batch->position++];
++ ret = batch->entropy_u32[batch->position];
++ batch->entropy_u32[batch->position] = 0;
++ ++batch->position;
+ local_irq_restore(flags);
+ return ret;
+ }
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 15 Jan 2022 14:40:04 +0100
+Subject: random: access input_pool_data directly rather than through pointer
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 6c0eace6e1499712583b6ee62d95161e8b3449f5 upstream.
+
+This gets rid of another abstraction we no longer need. It would be nice
+if we could instead make pool an array rather than a pointer, but the
+latent entropy plugin won't be able to do its magic in that case. So
+instead we put all accesses to the input pool's actual data through the
+input_pool_data array directly.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 222 +++++++++++++++++++++++---------------------------
+ 1 file changed, 103 insertions(+), 119 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -124,7 +124,7 @@
+ *
+ * The primary kernel interface is
+ *
+- * void get_random_bytes(void *buf, int nbytes);
++ * void get_random_bytes(void *buf, int nbytes);
+ *
+ * This interface will return the requested number of random bytes,
+ * and place it in the requested buffer. This is equivalent to a
+@@ -132,10 +132,10 @@
+ *
+ * For less critical applications, there are the functions:
+ *
+- * u32 get_random_u32()
+- * u64 get_random_u64()
+- * unsigned int get_random_int()
+- * unsigned long get_random_long()
++ * u32 get_random_u32()
++ * u64 get_random_u64()
++ * unsigned int get_random_int()
++ * unsigned long get_random_long()
+ *
+ * These are produced by a cryptographic RNG seeded from get_random_bytes,
+ * and so do not deplete the entropy pool as much. These are recommended
+@@ -197,10 +197,10 @@
+ * from the devices are:
+ *
+ * void add_device_randomness(const void *buf, unsigned int size);
+- * void add_input_randomness(unsigned int type, unsigned int code,
++ * void add_input_randomness(unsigned int type, unsigned int code,
+ * unsigned int value);
+ * void add_interrupt_randomness(int irq);
+- * void add_disk_randomness(struct gendisk *disk);
++ * void add_disk_randomness(struct gendisk *disk);
+ * void add_hwgenerator_randomness(const char *buffer, size_t count,
+ * size_t entropy);
+ * void add_bootloader_randomness(const void *buf, unsigned int size);
+@@ -296,8 +296,8 @@
+ * /dev/random and /dev/urandom created already, they can be created
+ * by using the commands:
+ *
+- * mknod /dev/random c 1 8
+- * mknod /dev/urandom c 1 9
++ * mknod /dev/random c 1 8
++ * mknod /dev/urandom c 1 9
+ *
+ * Acknowledgements:
+ * =================
+@@ -443,9 +443,9 @@ static DEFINE_SPINLOCK(random_ready_list
+ static LIST_HEAD(random_ready_list);
+
+ struct crng_state {
+- u32 state[16];
+- unsigned long init_time;
+- spinlock_t lock;
++ u32 state[16];
++ unsigned long init_time;
++ spinlock_t lock;
+ };
+
+ static struct crng_state primary_crng = {
+@@ -469,7 +469,7 @@ static bool crng_need_final_init = false
+ #define crng_ready() (likely(crng_init > 1))
+ static int crng_init_cnt = 0;
+ static unsigned long crng_global_init_time = 0;
+-#define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE)
++#define CRNG_INIT_CNT_THRESH (2 * CHACHA20_KEY_SIZE)
+ static void _extract_crng(struct crng_state *crng, u8 out[CHACHA20_BLOCK_SIZE]);
+ static void _crng_backtrack_protect(struct crng_state *crng,
+ u8 tmp[CHACHA20_BLOCK_SIZE], int used);
+@@ -496,17 +496,12 @@ MODULE_PARM_DESC(ratelimit_disable, "Dis
+ static u32 input_pool_data[POOL_WORDS] __latent_entropy;
+
+ static struct {
+- /* read-only data: */
+- u32 *pool;
+-
+- /* read-write data: */
+ spinlock_t lock;
+ u16 add_ptr;
+ u16 input_rotate;
+ int entropy_count;
+ } input_pool = {
+ .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
+- .pool = input_pool_data
+ };
+
+ static ssize_t extract_entropy(void *buf, size_t nbytes, int min);
+@@ -514,7 +509,7 @@ static ssize_t _extract_entropy(void *bu
+
+ static void crng_reseed(struct crng_state *crng, bool use_input_pool);
+
+-static u32 const twist_table[8] = {
++static const u32 twist_table[8] = {
+ 0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
+ 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };
+
+@@ -544,15 +539,15 @@ static void _mix_pool_bytes(const void *
+ i = (i - 1) & POOL_WORDMASK;
+
+ /* XOR in the various taps */
+- w ^= input_pool.pool[i];
+- w ^= input_pool.pool[(i + POOL_TAP1) & POOL_WORDMASK];
+- w ^= input_pool.pool[(i + POOL_TAP2) & POOL_WORDMASK];
+- w ^= input_pool.pool[(i + POOL_TAP3) & POOL_WORDMASK];
+- w ^= input_pool.pool[(i + POOL_TAP4) & POOL_WORDMASK];
+- w ^= input_pool.pool[(i + POOL_TAP5) & POOL_WORDMASK];
++ w ^= input_pool_data[i];
++ w ^= input_pool_data[(i + POOL_TAP1) & POOL_WORDMASK];
++ w ^= input_pool_data[(i + POOL_TAP2) & POOL_WORDMASK];
++ w ^= input_pool_data[(i + POOL_TAP3) & POOL_WORDMASK];
++ w ^= input_pool_data[(i + POOL_TAP4) & POOL_WORDMASK];
++ w ^= input_pool_data[(i + POOL_TAP5) & POOL_WORDMASK];
+
+ /* Mix the result back in with a twist */
+- input_pool.pool[i] = (w >> 3) ^ twist_table[w & 7];
++ input_pool_data[i] = (w >> 3) ^ twist_table[w & 7];
+
+ /*
+ * Normally, we add 7 bits of rotation to the pool.
+@@ -584,10 +579,10 @@ static void mix_pool_bytes(const void *i
+ }
+
+ struct fast_pool {
+- u32 pool[4];
+- unsigned long last;
+- u16 reg_idx;
+- u8 count;
++ u32 pool[4];
++ unsigned long last;
++ u16 reg_idx;
++ u8 count;
+ };
+
+ /*
+@@ -715,7 +710,7 @@ static int credit_entropy_bits_safe(int
+ return -EINVAL;
+
+ /* Cap the value to avoid overflows */
+- nbits = min(nbits, POOL_BITS);
++ nbits = min(nbits, POOL_BITS);
+
+ credit_entropy_bits(nbits);
+ return 0;
+@@ -727,7 +722,7 @@ static int credit_entropy_bits_safe(int
+ *
+ *********************************************************************/
+
+-#define CRNG_RESEED_INTERVAL (300*HZ)
++#define CRNG_RESEED_INTERVAL (300 * HZ)
+
+ static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
+
+@@ -750,9 +745,9 @@ early_param("random.trust_cpu", parse_tr
+
+ static bool crng_init_try_arch(struct crng_state *crng)
+ {
+- int i;
+- bool arch_init = true;
+- unsigned long rv;
++ int i;
++ bool arch_init = true;
++ unsigned long rv;
+
+ for (i = 4; i < 16; i++) {
+ if (!arch_get_random_seed_long(&rv) &&
+@@ -768,9 +763,9 @@ static bool crng_init_try_arch(struct cr
+
+ static bool __init crng_init_try_arch_early(struct crng_state *crng)
+ {
+- int i;
+- bool arch_init = true;
+- unsigned long rv;
++ int i;
++ bool arch_init = true;
++ unsigned long rv;
+
+ for (i = 4; i < 16; i++) {
+ if (!arch_get_random_seed_long_early(&rv) &&
+@@ -840,7 +835,7 @@ static void do_numa_crng_init(struct wor
+ struct crng_state *crng;
+ struct crng_state **pool;
+
+- pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL);
++ pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL | __GFP_NOFAIL);
+ for_each_online_node(i) {
+ crng = kmalloc_node(sizeof(struct crng_state),
+ GFP_KERNEL | __GFP_NOFAIL, i);
+@@ -896,7 +891,7 @@ static size_t crng_fast_load(const u8 *c
+ spin_unlock_irqrestore(&primary_crng.lock, flags);
+ return 0;
+ }
+- p = (u8 *) &primary_crng.state[4];
++ p = (u8 *)&primary_crng.state[4];
+ while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) {
+ p[crng_init_cnt % CHACHA20_KEY_SIZE] ^= *cp;
+ cp++; crng_init_cnt++; len--; ret++;
+@@ -926,12 +921,12 @@ static size_t crng_fast_load(const u8 *c
+ */
+ static int crng_slow_load(const u8 *cp, size_t len)
+ {
+- unsigned long flags;
+- static u8 lfsr = 1;
+- u8 tmp;
+- unsigned int i, max = CHACHA20_KEY_SIZE;
+- const u8 * src_buf = cp;
+- u8 * dest_buf = (u8 *) &primary_crng.state[4];
++ unsigned long flags;
++ static u8 lfsr = 1;
++ u8 tmp;
++ unsigned int i, max = CHACHA20_KEY_SIZE;
++ const u8 *src_buf = cp;
++ u8 *dest_buf = (u8 *)&primary_crng.state[4];
+
+ if (!spin_trylock_irqsave(&primary_crng.lock, flags))
+ return 0;
+@@ -942,7 +937,7 @@ static int crng_slow_load(const u8 *cp,
+ if (len > max)
+ max = len;
+
+- for (i = 0; i < max ; i++) {
++ for (i = 0; i < max; i++) {
+ tmp = lfsr;
+ lfsr >>= 1;
+ if (tmp & 1)
+@@ -957,11 +952,11 @@ static int crng_slow_load(const u8 *cp,
+
+ static void crng_reseed(struct crng_state *crng, bool use_input_pool)
+ {
+- unsigned long flags;
+- int i, num;
++ unsigned long flags;
++ int i, num;
+ union {
+- u8 block[CHACHA20_BLOCK_SIZE];
+- u32 key[8];
++ u8 block[CHACHA20_BLOCK_SIZE];
++ u32 key[8];
+ } buf;
+
+ if (use_input_pool) {
+@@ -975,11 +970,11 @@ static void crng_reseed(struct crng_stat
+ }
+ spin_lock_irqsave(&crng->lock, flags);
+ for (i = 0; i < 8; i++) {
+- unsigned long rv;
++ unsigned long rv;
+ if (!arch_get_random_seed_long(&rv) &&
+ !arch_get_random_long(&rv))
+ rv = random_get_entropy();
+- crng->state[i+4] ^= buf.key[i] ^ rv;
++ crng->state[i + 4] ^= buf.key[i] ^ rv;
+ }
+ memzero_explicit(&buf, sizeof(buf));
+ WRITE_ONCE(crng->init_time, jiffies);
+@@ -987,8 +982,7 @@ static void crng_reseed(struct crng_stat
+ crng_finalize_init(crng);
+ }
+
+-static void _extract_crng(struct crng_state *crng,
+- u8 out[CHACHA20_BLOCK_SIZE])
++static void _extract_crng(struct crng_state *crng, u8 out[CHACHA20_BLOCK_SIZE])
+ {
+ unsigned long flags, init_time;
+
+@@ -1017,9 +1011,9 @@ static void extract_crng(u8 out[CHACHA20
+ static void _crng_backtrack_protect(struct crng_state *crng,
+ u8 tmp[CHACHA20_BLOCK_SIZE], int used)
+ {
+- unsigned long flags;
+- u32 *s, *d;
+- int i;
++ unsigned long flags;
++ u32 *s, *d;
++ int i;
+
+ used = round_up(used, sizeof(u32));
+ if (used + CHACHA20_KEY_SIZE > CHACHA20_BLOCK_SIZE) {
+@@ -1027,9 +1021,9 @@ static void _crng_backtrack_protect(stru
+ used = 0;
+ }
+ spin_lock_irqsave(&crng->lock, flags);
+- s = (u32 *) &tmp[used];
++ s = (u32 *)&tmp[used];
+ d = &crng->state[4];
+- for (i=0; i < 8; i++)
++ for (i = 0; i < 8; i++)
+ *d++ ^= *s++;
+ spin_unlock_irqrestore(&crng->lock, flags);
+ }
+@@ -1074,7 +1068,6 @@ static ssize_t extract_crng_user(void __
+ return ret;
+ }
+
+-
+ /*********************************************************************
+ *
+ * Entropy input management
+@@ -1169,11 +1162,11 @@ static void add_timer_randomness(struct
+ * Round down by 1 bit on general principles,
+ * and limit entropy estimate to 12 bits.
+ */
+- credit_entropy_bits(min_t(int, fls(delta>>1), 11));
++ credit_entropy_bits(min_t(int, fls(delta >> 1), 11));
+ }
+
+ void add_input_randomness(unsigned int type, unsigned int code,
+- unsigned int value)
++ unsigned int value)
+ {
+ static unsigned char last_value;
+
+@@ -1193,19 +1186,19 @@ static DEFINE_PER_CPU(struct fast_pool,
+ #ifdef ADD_INTERRUPT_BENCH
+ static unsigned long avg_cycles, avg_deviation;
+
+-#define AVG_SHIFT 8 /* Exponential average factor k=1/256 */
+-#define FIXED_1_2 (1 << (AVG_SHIFT-1))
++#define AVG_SHIFT 8 /* Exponential average factor k=1/256 */
++#define FIXED_1_2 (1 << (AVG_SHIFT - 1))
+
+ static void add_interrupt_bench(cycles_t start)
+ {
+- long delta = random_get_entropy() - start;
++ long delta = random_get_entropy() - start;
+
+- /* Use a weighted moving average */
+- delta = delta - ((avg_cycles + FIXED_1_2) >> AVG_SHIFT);
+- avg_cycles += delta;
+- /* And average deviation */
+- delta = abs(delta) - ((avg_deviation + FIXED_1_2) >> AVG_SHIFT);
+- avg_deviation += delta;
++ /* Use a weighted moving average */
++ delta = delta - ((avg_cycles + FIXED_1_2) >> AVG_SHIFT);
++ avg_cycles += delta;
++ /* And average deviation */
++ delta = abs(delta) - ((avg_deviation + FIXED_1_2) >> AVG_SHIFT);
++ avg_deviation += delta;
+ }
+ #else
+ #define add_interrupt_bench(x)
+@@ -1213,7 +1206,7 @@ static void add_interrupt_bench(cycles_t
+
+ static u32 get_reg(struct fast_pool *f, struct pt_regs *regs)
+ {
+- u32 *ptr = (u32 *) regs;
++ u32 *ptr = (u32 *)regs;
+ unsigned int idx;
+
+ if (regs == NULL)
+@@ -1228,12 +1221,12 @@ static u32 get_reg(struct fast_pool *f,
+
+ void add_interrupt_randomness(int irq)
+ {
+- struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness);
+- struct pt_regs *regs = get_irq_regs();
+- unsigned long now = jiffies;
+- cycles_t cycles = random_get_entropy();
+- u32 c_high, j_high;
+- u64 ip;
++ struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness);
++ struct pt_regs *regs = get_irq_regs();
++ unsigned long now = jiffies;
++ cycles_t cycles = random_get_entropy();
++ u32 c_high, j_high;
++ u64 ip;
+
+ if (cycles == 0)
+ cycles = get_reg(fast_pool, regs);
+@@ -1243,8 +1236,8 @@ void add_interrupt_randomness(int irq)
+ fast_pool->pool[1] ^= now ^ c_high;
+ ip = regs ? instruction_pointer(regs) : _RET_IP_;
+ fast_pool->pool[2] ^= ip;
+- fast_pool->pool[3] ^= (sizeof(ip) > 4) ? ip >> 32 :
+- get_reg(fast_pool, regs);
++ fast_pool->pool[3] ^=
++ (sizeof(ip) > 4) ? ip >> 32 : get_reg(fast_pool, regs);
+
+ fast_mix(fast_pool);
+ add_interrupt_bench(cycles);
+@@ -1258,8 +1251,7 @@ void add_interrupt_randomness(int irq)
+ return;
+ }
+
+- if ((fast_pool->count < 64) &&
+- !time_after(now, fast_pool->last + HZ))
++ if ((fast_pool->count < 64) && !time_after(now, fast_pool->last + HZ))
+ return;
+
+ if (!spin_trylock(&input_pool.lock))
+@@ -1323,7 +1315,7 @@ retry:
+ entropy_count = 0;
+ }
+ nfrac = ibytes << (POOL_ENTROPY_SHIFT + 3);
+- if ((size_t) entropy_count > nfrac)
++ if ((size_t)entropy_count > nfrac)
+ entropy_count -= nfrac;
+ else
+ entropy_count = 0;
+@@ -1368,7 +1360,7 @@ static void extract_buf(u8 *out)
+
+ /* Generate a hash across the pool */
+ spin_lock_irqsave(&input_pool.lock, flags);
+- blake2s_update(&state, (const u8 *)input_pool.pool, POOL_BYTES);
++ blake2s_update(&state, (const u8 *)input_pool_data, POOL_BYTES);
+ blake2s_final(&state, hash); /* final zeros out state */
+
+ /*
+@@ -1426,10 +1418,9 @@ static ssize_t extract_entropy(void *buf
+ }
+
+ #define warn_unseeded_randomness(previous) \
+- _warn_unseeded_randomness(__func__, (void *) _RET_IP_, (previous))
++ _warn_unseeded_randomness(__func__, (void *)_RET_IP_, (previous))
+
+-static void _warn_unseeded_randomness(const char *func_name, void *caller,
+- void **previous)
++static void _warn_unseeded_randomness(const char *func_name, void *caller, void **previous)
+ {
+ #ifdef CONFIG_WARN_ALL_UNSEEDED_RANDOM
+ const bool print_once = false;
+@@ -1437,8 +1428,7 @@ static void _warn_unseeded_randomness(co
+ static bool print_once __read_mostly;
+ #endif
+
+- if (print_once ||
+- crng_ready() ||
++ if (print_once || crng_ready() ||
+ (previous && (caller == READ_ONCE(*previous))))
+ return;
+ WRITE_ONCE(*previous, caller);
+@@ -1446,9 +1436,8 @@ static void _warn_unseeded_randomness(co
+ print_once = true;
+ #endif
+ if (__ratelimit(&unseeded_warning))
+- printk_deferred(KERN_NOTICE "random: %s called from %pS "
+- "with crng_init=%d\n", func_name, caller,
+- crng_init);
++ printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n",
++ func_name, caller, crng_init);
+ }
+
+ /*
+@@ -1491,7 +1480,6 @@ void get_random_bytes(void *buf, int nby
+ }
+ EXPORT_SYMBOL(get_random_bytes);
+
+-
+ /*
+ * Each time the timer fires, we expect that we got an unpredictable
+ * jump in the cycle counter. Even if the timer is running on another
+@@ -1530,7 +1518,7 @@ static void try_to_generate_entropy(void
+ __setup_timer_on_stack(&stack.timer, entropy_timer, 0, 0);
+ while (!crng_ready()) {
+ if (!timer_pending(&stack.timer))
+- mod_timer(&stack.timer, jiffies+1);
++ mod_timer(&stack.timer, jiffies + 1);
+ mix_pool_bytes(&stack.now, sizeof(stack.now));
+ schedule();
+ stack.now = random_get_entropy();
+@@ -1740,9 +1728,8 @@ void rand_initialize_disk(struct gendisk
+ }
+ #endif
+
+-static ssize_t
+-urandom_read_nowarn(struct file *file, char __user *buf, size_t nbytes,
+- loff_t *ppos)
++static ssize_t urandom_read_nowarn(struct file *file, char __user *buf,
++ size_t nbytes, loff_t *ppos)
+ {
+ int ret;
+
+@@ -1752,8 +1739,8 @@ urandom_read_nowarn(struct file *file, c
+ return ret;
+ }
+
+-static ssize_t
+-urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
++static ssize_t urandom_read(struct file *file, char __user *buf, size_t nbytes,
++ loff_t *ppos)
+ {
+ static int maxwarn = 10;
+
+@@ -1767,8 +1754,8 @@ urandom_read(struct file *file, char __u
+ return urandom_read_nowarn(file, buf, nbytes, ppos);
+ }
+
+-static ssize_t
+-random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
++static ssize_t random_read(struct file *file, char __user *buf, size_t nbytes,
++ loff_t *ppos)
+ {
+ int ret;
+
+@@ -1778,8 +1765,7 @@ random_read(struct file *file, char __us
+ return urandom_read_nowarn(file, buf, nbytes, ppos);
+ }
+
+-static unsigned int
+-random_poll(struct file *file, poll_table * wait)
++static unsigned int random_poll(struct file *file, poll_table *wait)
+ {
+ unsigned int mask;
+
+@@ -1793,8 +1779,7 @@ random_poll(struct file *file, poll_tabl
+ return mask;
+ }
+
+-static int
+-write_pool(const char __user *buffer, size_t count)
++static int write_pool(const char __user *buffer, size_t count)
+ {
+ size_t bytes;
+ u32 t, buf[16];
+@@ -1896,35 +1881,35 @@ static int random_fasync(int fd, struct
+ }
+
+ const struct file_operations random_fops = {
+- .read = random_read,
++ .read = random_read,
+ .write = random_write,
+- .poll = random_poll,
++ .poll = random_poll,
+ .unlocked_ioctl = random_ioctl,
+ .fasync = random_fasync,
+ .llseek = noop_llseek,
+ };
+
+ const struct file_operations urandom_fops = {
+- .read = urandom_read,
++ .read = urandom_read,
+ .write = random_write,
+ .unlocked_ioctl = random_ioctl,
+ .fasync = random_fasync,
+ .llseek = noop_llseek,
+ };
+
+-SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count,
+- unsigned int, flags)
++SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, unsigned int,
++ flags)
+ {
+ int ret;
+
+- if (flags & ~(GRND_NONBLOCK|GRND_RANDOM|GRND_INSECURE))
++ if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE))
+ return -EINVAL;
+
+ /*
+ * Requesting insecure and blocking randomness at the same time makes
+ * no sense.
+ */
+- if ((flags & (GRND_INSECURE|GRND_RANDOM)) == (GRND_INSECURE|GRND_RANDOM))
++ if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM))
+ return -EINVAL;
+
+ if (count > INT_MAX)
+@@ -2072,7 +2057,7 @@ struct ctl_table random_table[] = {
+ #endif
+ { }
+ };
+-#endif /* CONFIG_SYSCTL */
++#endif /* CONFIG_SYSCTL */
+
+ struct batched_entropy {
+ union {
+@@ -2092,7 +2077,7 @@ struct batched_entropy {
+ * point prior.
+ */
+ static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = {
+- .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u64.lock),
++ .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u64.lock),
+ };
+
+ u64 get_random_u64(void)
+@@ -2117,7 +2102,7 @@ u64 get_random_u64(void)
+ EXPORT_SYMBOL(get_random_u64);
+
+ static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = {
+- .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u32.lock),
++ .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u32.lock),
+ };
+ u32 get_random_u32(void)
+ {
+@@ -2149,7 +2134,7 @@ static void invalidate_batched_entropy(v
+ int cpu;
+ unsigned long flags;
+
+- for_each_possible_cpu (cpu) {
++ for_each_possible_cpu(cpu) {
+ struct batched_entropy *batched_entropy;
+
+ batched_entropy = per_cpu_ptr(&batched_entropy_u32, cpu);
+@@ -2178,8 +2163,7 @@ static void invalidate_batched_entropy(v
+ * Return: A page aligned address within [start, start + range). On error,
+ * @start is returned.
+ */
+-unsigned long
+-randomize_page(unsigned long start, unsigned long range)
++unsigned long randomize_page(unsigned long start, unsigned long range)
+ {
+ if (!PAGE_ALIGNED(start)) {
+ range -= PAGE_ALIGN(start) - start;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+Date: Sun, 30 Jan 2022 22:03:19 +0100
+Subject: random: access primary_pool directly rather than through pointer
+
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+
+commit ebf7606388732ecf2821ca21087e9446cb4a5b57 upstream.
+
+Both crng_initialize_primary() and crng_init_try_arch_early() are
+only called for the primary_pool. Accessing it directly instead of
+through a function parameter simplifies the code.
+
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -761,7 +761,7 @@ static bool crng_init_try_arch(struct cr
+ return arch_init;
+ }
+
+-static bool __init crng_init_try_arch_early(struct crng_state *crng)
++static bool __init crng_init_try_arch_early(void)
+ {
+ int i;
+ bool arch_init = true;
+@@ -773,7 +773,7 @@ static bool __init crng_init_try_arch_ea
+ rv = random_get_entropy();
+ arch_init = false;
+ }
+- crng->state[i] ^= rv;
++ primary_crng.state[i] ^= rv;
+ }
+
+ return arch_init;
+@@ -787,16 +787,16 @@ static void crng_initialize_secondary(st
+ crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+ }
+
+-static void __init crng_initialize_primary(struct crng_state *crng)
++static void __init crng_initialize_primary(void)
+ {
+- _extract_entropy(&crng->state[4], sizeof(u32) * 12);
+- if (crng_init_try_arch_early(crng) && trust_cpu && crng_init < 2) {
++ _extract_entropy(&primary_crng.state[4], sizeof(u32) * 12);
++ if (crng_init_try_arch_early() && trust_cpu && crng_init < 2) {
+ invalidate_batched_entropy();
+ numa_crng_init();
+ crng_init = 2;
+ pr_notice("crng init done (trusting CPU's manufacturer)\n");
+ }
+- crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
++ primary_crng.init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+ }
+
+ static void crng_finalize_init(struct crng_state *crng)
+@@ -1697,7 +1697,7 @@ int __init rand_initialize(void)
+ init_std_data();
+ if (crng_need_final_init)
+ crng_finalize_init(&primary_crng);
+- crng_initialize_primary(&primary_crng);
++ crng_initialize_primary();
+ crng_global_init_time = jiffies;
+ if (ratelimit_disable) {
+ urandom_warning.interval = 0;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 7 Jun 2022 17:04:38 +0200
+Subject: random: account for arch randomness in bits
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 77fc95f8c0dc9e1f8e620ec14d2fb65028fb7adc upstream.
+
+Rather than accounting in bytes and multiplying (shifting), we can just
+account in bits and avoid the shift. The main motivation for this is
+there are other patches in flux that expand this code a bit, and
+avoiding the duplication of "* 8" everywhere makes things a bit clearer.
+
+Cc: stable@vger.kernel.org
+Fixes: 12e45a2a6308 ("random: credit architectural init the exact amount")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -809,7 +809,7 @@ early_param("random.trust_bootloader", p
+ int __init random_init(const char *command_line)
+ {
+ ktime_t now = ktime_get_real();
+- unsigned int i, arch_bytes;
++ unsigned int i, arch_bits;
+ unsigned long entropy;
+
+ #if defined(LATENT_ENTROPY_PLUGIN)
+@@ -817,12 +817,12 @@ int __init random_init(const char *comma
+ _mix_pool_bytes(compiletime_seed, sizeof(compiletime_seed));
+ #endif
+
+- for (i = 0, arch_bytes = BLAKE2S_BLOCK_SIZE;
++ for (i = 0, arch_bits = BLAKE2S_BLOCK_SIZE * 8;
+ i < BLAKE2S_BLOCK_SIZE; i += sizeof(entropy)) {
+ if (!arch_get_random_seed_long_early(&entropy) &&
+ !arch_get_random_long_early(&entropy)) {
+ entropy = random_get_entropy();
+- arch_bytes -= sizeof(entropy);
++ arch_bits -= sizeof(entropy) * 8;
+ }
+ _mix_pool_bytes(&entropy, sizeof(entropy));
+ }
+@@ -834,7 +834,7 @@ int __init random_init(const char *comma
+ if (crng_ready())
+ crng_reseed();
+ else if (trust_cpu)
+- _credit_init_bits(arch_bytes * 8);
++ _credit_init_bits(arch_bits);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 17 Jul 2018 18:24:27 -0400
+Subject: random: add a config option to trust the CPU's hwrng
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 39a8883a2b989d1d21bd8dd99f5557f0c5e89694 upstream.
+
+This gives the user building their own kernel (or a Linux
+distribution) the option of deciding whether or not to trust the CPU's
+hardware random number generator (e.g., RDRAND for x86 CPU's) as being
+correctly implemented and not having a back door introduced (perhaps
+courtesy of a Nation State's law enforcement or intelligence
+agencies).
+
+This will prevent getrandom(2) from blocking, if there is a
+willingness to trust the CPU manufacturer.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/Kconfig | 14 ++++++++++++++
+ drivers/char/random.c | 11 ++++++++++-
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/Kconfig
++++ b/drivers/char/Kconfig
+@@ -590,3 +590,17 @@ source "drivers/char/xillybus/Kconfig"
+
+ endmenu
+
++config RANDOM_TRUST_CPU
++ bool "Trust the CPU manufacturer to initialize Linux's CRNG"
++ depends on X86 || S390 || PPC
++ default n
++ help
++ Assume that CPU manufacturer (e.g., Intel or AMD for RDSEED or
++ RDRAND, IBM for the S390 and Power PC architectures) is trustworthy
++ for the purposes of initializing Linux's CRNG. Since this is not
++ something that can be independently audited, this amounts to trusting
++ that CPU manufacturer (perhaps with the insistence or mandate
++ of a Nation State's intelligence or law enforcement agencies)
++ has not installed a hidden back door to compromise the CPU's
++ random number generation facilities.
++
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -782,6 +782,7 @@ static void invalidate_batched_entropy(v
+ static void crng_initialize(struct crng_state *crng)
+ {
+ int i;
++ int arch_init = 1;
+ unsigned long rv;
+
+ memcpy(&crng->state[0], "expand 32-byte k", 16);
+@@ -792,10 +793,18 @@ static void crng_initialize(struct crng_
+ _get_random_bytes(&crng->state[4], sizeof(__u32) * 12);
+ for (i = 4; i < 16; i++) {
+ if (!arch_get_random_seed_long(&rv) &&
+- !arch_get_random_long(&rv))
++ !arch_get_random_long(&rv)) {
+ rv = random_get_entropy();
++ arch_init = 0;
++ }
+ crng->state[i] ^= rv;
+ }
++#ifdef CONFIG_RANDOM_TRUST_CPU
++ if (arch_init) {
++ crng_init = 2;
++ pr_notice("random: crng done (trusting CPU's manufacturer)\n");
++ }
++#endif
+ crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+ }
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Andy Lutomirski <luto@kernel.org>
+Date: Mon, 23 Dec 2019 00:20:45 -0800
+Subject: random: Add a urandom_read_nowait() for random APIs that don't warn
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit c6f1deb158789abba02a7eba600747843eeb3a57 upstream.
+
+/dev/random and getrandom() never warn. Split the meat of
+urandom_read() into urandom_read_nowarn() and leave the warning code
+in urandom_read().
+
+This has no effect on kernel behavior, but it makes subsequent
+patches more straightforward. It also makes the fact that
+getrandom() never warns more obvious.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Link: https://lore.kernel.org/r/c87ab200588de746431d9f916501ef11e5242b13.1577088521.git.luto@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1962,11 +1962,22 @@ random_read(struct file *file, char __us
+ }
+
+ static ssize_t
++urandom_read_nowarn(struct file *file, char __user *buf, size_t nbytes,
++ loff_t *ppos)
++{
++ int ret;
++
++ nbytes = min_t(size_t, nbytes, INT_MAX >> (ENTROPY_SHIFT + 3));
++ ret = extract_crng_user(buf, nbytes);
++ trace_urandom_read(8 * nbytes, 0, ENTROPY_BITS(&input_pool));
++ return ret;
++}
++
++static ssize_t
+ urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
+ {
+ unsigned long flags;
+ static int maxwarn = 10;
+- int ret;
+
+ if (!crng_ready() && maxwarn > 0) {
+ maxwarn--;
+@@ -1978,10 +1989,8 @@ urandom_read(struct file *file, char __u
+ crng_init_cnt = 0;
+ spin_unlock_irqrestore(&primary_crng.lock, flags);
+ }
+- nbytes = min_t(size_t, nbytes, INT_MAX >> (ENTROPY_SHIFT + 3));
+- ret = extract_crng_user(buf, nbytes);
+- trace_urandom_read(8 * nbytes, 0, ENTROPY_BITS(&input_pool));
+- return ret;
++
++ return urandom_read_nowarn(file, buf, nbytes, ppos);
+ }
+
+ static unsigned int
+@@ -2141,7 +2150,7 @@ SYSCALL_DEFINE3(getrandom, char __user *
+ if (unlikely(ret))
+ return ret;
+ }
+- return urandom_read(NULL, buf, count, NULL);
++ return urandom_read_nowarn(NULL, buf, count, NULL);
+ }
+
+ /********************************************************************
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Fri, 7 Jun 2019 14:25:15 -0400
+Subject: random: Add and use pr_fmt()
+
+From: Yangtao Li <tiny.windzz@gmail.com>
+
+commit 12cd53aff5ea0359b1dac91fcd9ddc7b9e646588 upstream.
+
+Prefix all printk/pr_<level> messages with "random: " to make the
+logging a bit more consistent.
+
+Miscellanea:
+
+o Convert a printks to pr_notice
+o Whitespace to align to open parentheses
+o Remove embedded "random: " from pr_* as pr_fmt adds it
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Link: https://lore.kernel.org/r/20190607182517.28266-3-tiny.windzz@gmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -307,6 +307,8 @@
+ * Eastlake, Steve Crocker, and Jeff Schiller.
+ */
+
++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
++
+ #include <linux/utsname.h>
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+@@ -739,7 +741,7 @@ retry:
+ }
+
+ if (WARN_ON(entropy_count < 0)) {
+- pr_warn("random: negative entropy/overflow: pool %s count %d\n",
++ pr_warn("negative entropy/overflow: pool %s count %d\n",
+ r->name, entropy_count);
+ entropy_count = 0;
+ } else if (entropy_count > pool_size)
+@@ -832,7 +834,7 @@ static void crng_initialize(struct crng_
+ }
+ if (trust_cpu && arch_init) {
+ crng_init = 2;
+- pr_notice("random: crng done (trusting CPU's manufacturer)\n");
++ pr_notice("crng done (trusting CPU's manufacturer)\n");
+ }
+ crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+ }
+@@ -856,14 +858,12 @@ static void crng_finalize_init(struct cr
+ kill_fasync(&fasync, SIGIO, POLL_IN);
+ pr_notice("crng init done\n");
+ if (unseeded_warning.missed) {
+- pr_notice("random: %d get_random_xx warning(s) missed "
+- "due to ratelimiting\n",
++ pr_notice("%d get_random_xx warning(s) missed due to ratelimiting\n",
+ unseeded_warning.missed);
+ unseeded_warning.missed = 0;
+ }
+ if (urandom_warning.missed) {
+- pr_notice("random: %d urandom warning(s) missed "
+- "due to ratelimiting\n",
++ pr_notice("%d urandom warning(s) missed due to ratelimiting\n",
+ urandom_warning.missed);
+ urandom_warning.missed = 0;
+ }
+@@ -944,7 +944,7 @@ static int crng_fast_load(const char *cp
+ if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
+ invalidate_batched_entropy();
+ crng_init = 1;
+- pr_notice("random: fast init done\n");
++ pr_notice("fast init done\n");
+ }
+ return 1;
+ }
+@@ -1380,7 +1380,7 @@ retry:
+ ibytes = 0;
+
+ if (WARN_ON(entropy_count < 0)) {
+- pr_warn("random: negative entropy count: pool %s count %d\n",
++ pr_warn("negative entropy count: pool %s count %d\n",
+ r->name, entropy_count);
+ entropy_count = 0;
+ }
+@@ -1806,9 +1806,8 @@ urandom_read(struct file *file, char __u
+ if (!crng_ready() && maxwarn > 0) {
+ maxwarn--;
+ if (__ratelimit(&urandom_warning))
+- printk(KERN_NOTICE "random: %s: uninitialized "
+- "urandom read (%zd bytes read)\n",
+- current->comm, nbytes);
++ pr_notice("%s: uninitialized urandom read (%zd bytes read)\n",
++ current->comm, nbytes);
+ spin_lock_irqsave(&primary_crng.lock, flags);
+ crng_init_cnt = 0;
+ spin_unlock_irqrestore(&primary_crng.lock, flags);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 10 Feb 2020 13:00:13 +0000
+Subject: random: add arch_get_random_*long_early()
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 253d3194c2b58152fe830fd27c2fd83ebc6fe5ee upstream.
+
+Some architectures (e.g. arm64) can have heterogeneous CPUs, and the
+boot CPU may be able to provide entropy while secondary CPUs cannot. On
+such systems, arch_get_random_long() and arch_get_random_seed_long()
+will fail unless support for RNG instructions has been detected on all
+CPUs. This prevents the boot CPU from being able to provide
+(potentially) trusted entropy when seeding the primary CRNG.
+
+To make it possible to seed the primary CRNG from the boot CPU without
+adversely affecting the runtime versions of arch_get_random_long() and
+arch_get_random_seed_long(), this patch adds new early versions of the
+functions used when initializing the primary CRNG.
+
+Default implementations are provided atop of the existing
+arch_get_random_long() and arch_get_random_seed_long() so that only
+architectures with such constraints need to provide the new helpers.
+
+There should be no functional change as a result of this patch.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Link: https://lore.kernel.org/r/20200210130015.17664-3-mark.rutland@arm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 20 +++++++++++++++++++-
+ include/linux/random.h | 22 ++++++++++++++++++++++
+ 2 files changed, 41 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -800,6 +800,24 @@ static bool crng_init_try_arch(struct cr
+ return arch_init;
+ }
+
++static bool __init crng_init_try_arch_early(struct crng_state *crng)
++{
++ int i;
++ bool arch_init = true;
++ unsigned long rv;
++
++ for (i = 4; i < 16; i++) {
++ if (!arch_get_random_seed_long_early(&rv) &&
++ !arch_get_random_long_early(&rv)) {
++ rv = random_get_entropy();
++ arch_init = false;
++ }
++ crng->state[i] ^= rv;
++ }
++
++ return arch_init;
++}
++
+ static void __maybe_unused crng_initialize_secondary(struct crng_state *crng)
+ {
+ memcpy(&crng->state[0], "expand 32-byte k", 16);
+@@ -812,7 +830,7 @@ static void __init crng_initialize_prima
+ {
+ memcpy(&crng->state[0], "expand 32-byte k", 16);
+ _extract_entropy(&input_pool, &crng->state[4], sizeof(__u32) * 12, 0);
+- if (crng_init_try_arch(crng) && trust_cpu) {
++ if (crng_init_try_arch_early(crng) && trust_cpu) {
+ invalidate_batched_entropy();
+ numa_crng_init();
+ crng_init = 2;
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -7,6 +7,8 @@
+ #ifndef _LINUX_RANDOM_H
+ #define _LINUX_RANDOM_H
+
++#include <linux/bug.h>
++#include <linux/kernel.h>
+ #include <linux/list.h>
+ #include <linux/once.h>
+
+@@ -136,4 +138,24 @@ static inline bool __must_check arch_get
+ }
+ #endif
+
++/*
++ * Called from the boot CPU during startup; not valid to call once
++ * secondary CPUs are up and preemption is possible.
++ */
++#ifndef arch_get_random_seed_long_early
++static inline bool __init arch_get_random_seed_long_early(unsigned long *v)
++{
++ WARN_ON(system_state != SYSTEM_BOOTING);
++ return arch_get_random_seed_long(v);
++}
++#endif
++
++#ifndef arch_get_random_long_early
++static inline bool __init arch_get_random_long_early(unsigned long *v)
++{
++ WARN_ON(system_state != SYSTEM_BOOTING);
++ return arch_get_random_long(v);
++}
++#endif
++
+ #endif /* _LINUX_RANDOM_H */
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Andy Lutomirski <luto@kernel.org>
+Date: Mon, 23 Dec 2019 00:20:46 -0800
+Subject: random: add GRND_INSECURE to return best-effort non-cryptographic bytes
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 75551dbf112c992bc6c99a972990b3f272247e23 upstream.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Link: https://lore.kernel.org/r/d5473b56cf1fa900ca4bd2b3fc1e5b8874399919.1577088521.git.luto@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 11 +++++++++--
+ include/uapi/linux/random.h | 2 ++
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -2134,7 +2134,14 @@ SYSCALL_DEFINE3(getrandom, char __user *
+ {
+ int ret;
+
+- if (flags & ~(GRND_NONBLOCK|GRND_RANDOM))
++ if (flags & ~(GRND_NONBLOCK|GRND_RANDOM|GRND_INSECURE))
++ return -EINVAL;
++
++ /*
++ * Requesting insecure and blocking randomness at the same time makes
++ * no sense.
++ */
++ if ((flags & (GRND_INSECURE|GRND_RANDOM)) == (GRND_INSECURE|GRND_RANDOM))
+ return -EINVAL;
+
+ if (count > INT_MAX)
+@@ -2143,7 +2150,7 @@ SYSCALL_DEFINE3(getrandom, char __user *
+ if (flags & GRND_RANDOM)
+ return _random_read(flags & GRND_NONBLOCK, buf, count);
+
+- if (!crng_ready()) {
++ if (!(flags & GRND_INSECURE) && !crng_ready()) {
+ if (flags & GRND_NONBLOCK)
+ return -EAGAIN;
+ ret = wait_for_random_bytes();
+--- a/include/uapi/linux/random.h
++++ b/include/uapi/linux/random.h
+@@ -49,8 +49,10 @@ struct rand_pool_info {
+ *
+ * GRND_NONBLOCK Don't block and return EAGAIN instead
+ * GRND_RANDOM Use the /dev/random pool instead of /dev/urandom
++ * GRND_INSECURE Return non-cryptographic random bytes
+ */
+ #define GRND_NONBLOCK 0x0001
+ #define GRND_RANDOM 0x0002
++#define GRND_INSECURE 0x0004
+
+ #endif /* _UAPI_LINUX_RANDOM_H */
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 10 Feb 2022 16:43:57 +0100
+Subject: random: add proper SPDX header
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit a07fdae346c35c6ba286af1c88e0effcfa330bf9 upstream.
+
+Convert the current license into the SPDX notation of "(GPL-2.0 OR
+BSD-3-Clause)". This infers GPL-2.0 from the text "ALTERNATIVELY, this
+product may be distributed under the terms of the GNU General Public
+License, in which case the provisions of the GPL are required INSTEAD OF
+the above restrictions" and it infers BSD-3-Clause from the verbatim
+BSD 3 clause license in the file.
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 37 +------------------------------------
+ 1 file changed, 1 insertion(+), 36 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1,44 +1,9 @@
++// SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
+ /*
+- * random.c -- A strong random number generator
+- *
+ * Copyright (C) 2017-2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+- *
+ * Copyright Matt Mackall <mpm@selenic.com>, 2003, 2004, 2005
+- *
+ * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. All
+ * rights reserved.
+- *
+- * Redistribution and use in source and binary forms, with or without
+- * modification, are permitted provided that the following conditions
+- * are met:
+- * 1. Redistributions of source code must retain the above copyright
+- * notice, and the entire permission notice in its entirety,
+- * including the disclaimer of warranties.
+- * 2. Redistributions in binary form must reproduce the above copyright
+- * notice, this list of conditions and the following disclaimer in the
+- * documentation and/or other materials provided with the distribution.
+- * 3. The name of the author may not be used to endorse or promote
+- * products derived from this software without specific prior
+- * written permission.
+- *
+- * ALTERNATIVELY, this product may be distributed under the terms of
+- * the GNU General Public License, in which case the provisions of the GPL are
+- * required INSTEAD OF the above restrictions. (This clause is
+- * necessary due to a potential bad interaction between the GPL and
+- * the restrictions contained in a BSD-style copyright.)
+- *
+- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
+- * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
+- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+- * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+- * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+- * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
+- * DAMAGE.
+ */
+
+ /*
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 4 Feb 2018 23:07:46 +0100
+Subject: random: always fill buffer in get_random_bytes_wait
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 25e3fca492035a2e1d4ac6e3b1edd9c1acd48897 upstream.
+
+In the unfortunate event that a developer fails to check the return
+value of get_random_bytes_wait, or simply wants to make a "best effort"
+attempt, for whatever that's worth, it's much better to still fill the
+buffer with _something_ rather than catastrophically failing in the case
+of an interruption. This is both a defense in depth measure against
+inevitable programming bugs, as well as a means of making the API a bit
+more useful.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/random.h | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -85,10 +85,8 @@ static inline unsigned long get_random_c
+ static inline int get_random_bytes_wait(void *buf, int nbytes)
+ {
+ int ret = wait_for_random_bytes();
+- if (unlikely(ret))
+- return ret;
+ get_random_bytes(buf, nbytes);
+- return 0;
++ return ret;
+ }
+
+ #define declare_get_random_var_wait(var) \
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 5 Feb 2022 14:00:58 +0100
+Subject: random: always wake up entropy writers after extraction
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 489c7fc44b5740d377e8cfdbf0851036e493af00 upstream.
+
+Now that POOL_BITS == POOL_MIN_BITS, we must unconditionally wake up
+entropy writers after every extraction. Therefore there's no point of
+write_wakeup_threshold, so we can move it to the dustbin of unused
+compatibility sysctls. While we're at it, we can fix a small comparison
+where we were waking up after <= min rather than < min.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Suggested-by: Eric Biggers <ebiggers@kernel.org>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/sysctl/kernel.txt | 44 ++++++++++++++++++++++++++++++++++++++--
+ drivers/char/random.c | 36 ++++++++++++--------------------
+ 2 files changed, 56 insertions(+), 24 deletions(-)
+
+--- a/Documentation/sysctl/kernel.txt
++++ b/Documentation/sysctl/kernel.txt
+@@ -781,9 +781,49 @@ The kernel command line parameter printk
+ a one-time setting until next reboot: once set, it cannot be changed by
+ this sysctl interface anymore.
+
+-==============================================================
++pty
++===
+
+-randomize_va_space:
++See Documentation/filesystems/devpts.rst.
++
++
++random
++======
++
++This is a directory, with the following entries:
++
++* ``boot_id``: a UUID generated the first time this is retrieved, and
++ unvarying after that;
++
++* ``entropy_avail``: the pool's entropy count, in bits;
++
++* ``poolsize``: the entropy pool size, in bits;
++
++* ``urandom_min_reseed_secs``: obsolete (used to determine the minimum
++ number of seconds between urandom pool reseeding). This file is
++ writable for compatibility purposes, but writing to it has no effect
++ on any RNG behavior.
++
++* ``uuid``: a UUID generated every time this is retrieved (this can
++ thus be used to generate UUIDs at will);
++
++* ``write_wakeup_threshold``: when the entropy count drops below this
++ (as a number of bits), processes waiting to write to ``/dev/random``
++ are woken up. This file is writable for compatibility purposes, but
++ writing to it has no effect on any RNG behavior.
++
++If ``drivers/char/random.c`` is built with ``ADD_INTERRUPT_BENCH``
++defined, these additional entries are present:
++
++* ``add_interrupt_avg_cycles``: the average number of cycles between
++ interrupts used to feed the pool;
++
++* ``add_interrupt_avg_deviation``: the standard deviation seen on the
++ number of cycles between interrupts used to feed the pool.
++
++
++randomize_va_space
++==================
+
+ This option can be used to select the type of process address
+ space randomization that is used in the system, for architectures
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -296,12 +296,6 @@ enum {
+ */
+ static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
+ static struct fasync_struct *fasync;
+-/*
+- * If the entropy count falls under this number of bits, then we
+- * should wake up processes which are selecting or polling on write
+- * access to /dev/random.
+- */
+-static int random_write_wakeup_bits = POOL_MIN_BITS;
+
+ static DEFINE_SPINLOCK(random_ready_list_lock);
+ static LIST_HEAD(random_ready_list);
+@@ -738,10 +732,8 @@ static void crng_reseed(struct crng_stat
+ return;
+ } while (cmpxchg(&input_pool.entropy_count, entropy_count, 0) != entropy_count);
+ extract_entropy(buf.key, sizeof(buf.key));
+- if (random_write_wakeup_bits) {
+- wake_up_interruptible(&random_write_wait);
+- kill_fasync(&fasync, SIGIO, POLL_OUT);
+- }
++ wake_up_interruptible(&random_write_wait);
++ kill_fasync(&fasync, SIGIO, POLL_OUT);
+ } else {
+ _extract_crng(&primary_crng, buf.block);
+ _crng_backtrack_protect(&primary_crng, buf.block,
+@@ -1470,7 +1462,7 @@ static unsigned int random_poll(struct f
+ mask = 0;
+ if (crng_ready())
+ mask |= POLLIN | POLLRDNORM;
+- if (input_pool.entropy_count < random_write_wakeup_bits)
++ if (input_pool.entropy_count < POOL_MIN_BITS)
+ mask |= POLLOUT | POLLWRNORM;
+ return mask;
+ }
+@@ -1555,7 +1547,10 @@ static long random_ioctl(struct file *f,
+ */
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+- input_pool.entropy_count = 0;
++ if (xchg(&input_pool.entropy_count, 0)) {
++ wake_up_interruptible(&random_write_wait);
++ kill_fasync(&fasync, SIGIO, POLL_OUT);
++ }
+ return 0;
+ case RNDRESEEDCRNG:
+ if (!capable(CAP_SYS_ADMIN))
+@@ -1630,9 +1625,9 @@ SYSCALL_DEFINE3(getrandom, char __user *
+
+ #include <linux/sysctl.h>
+
+-static int min_write_thresh;
+-static int max_write_thresh = POOL_BITS;
+ static int random_min_urandom_seed = 60;
++static int random_write_wakeup_bits = POOL_MIN_BITS;
++static int sysctl_poolsize = POOL_BITS;
+ static char sysctl_bootid[16];
+
+ /*
+@@ -1671,7 +1666,6 @@ static int proc_do_uuid(struct ctl_table
+ return proc_dostring(&fake_table, write, buffer, lenp, ppos);
+ }
+
+-static int sysctl_poolsize = POOL_BITS;
+ extern struct ctl_table random_table[];
+ struct ctl_table random_table[] = {
+ {
+@@ -1693,9 +1687,7 @@ struct ctl_table random_table[] = {
+ .data = &random_write_wakeup_bits,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+- .proc_handler = proc_dointvec_minmax,
+- .extra1 = &min_write_thresh,
+- .extra2 = &max_write_thresh,
++ .proc_handler = proc_dointvec,
+ },
+ {
+ .procname = "urandom_min_reseed_secs",
+@@ -1876,13 +1868,13 @@ void add_hwgenerator_randomness(const ch
+ }
+
+ /* Throttle writing if we're above the trickle threshold.
+- * We'll be woken up again once below random_write_wakeup_thresh,
+- * when the calling thread is about to terminate, or once
+- * CRNG_RESEED_INTERVAL has lapsed.
++ * We'll be woken up again once below POOL_MIN_BITS, when
++ * the calling thread is about to terminate, or once
++ * CRNG_RESEED_INTERVAL has elapsed.
+ */
+ wait_event_interruptible_timeout(random_write_wait,
+ !system_wq || kthread_should_stop() ||
+- input_pool.entropy_count <= random_write_wakeup_bits,
++ input_pool.entropy_count < POOL_MIN_BITS,
+ CRNG_RESEED_INTERVAL);
+ mix_pool_bytes(buffer, count);
+ credit_entropy_bits(entropy);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Thu, 5 Nov 2020 16:29:44 +0100
+Subject: random: avoid arch_get_random_seed_long() when collecting IRQ randomness
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit 390596c9959c2a4f5b456df339f0604df3d55fe0 upstream.
+
+When reseeding the CRNG periodically, arch_get_random_seed_long() is
+called to obtain entropy from an architecture specific source if one
+is implemented. In most cases, these are special instructions, but in
+some cases, such as on ARM, we may want to back this using firmware
+calls, which are considerably more expensive.
+
+Another call to arch_get_random_seed_long() exists in the CRNG driver,
+in add_interrupt_randomness(), which collects entropy by capturing
+inter-interrupt timing and relying on interrupt jitter to provide
+random bits. This is done by keeping a per-CPU state, and mixing in
+the IRQ number, the cycle counter and the return address every time an
+interrupt is taken, and mixing this per-CPU state into the entropy pool
+every 64 invocations, or at least once per second. The entropy that is
+gathered this way is credited as 1 bit of entropy. Every time this
+happens, arch_get_random_seed_long() is invoked, and the result is
+mixed in as well, and also credited with 1 bit of entropy.
+
+This means that arch_get_random_seed_long() is called at least once
+per second on every CPU, which seems excessive, and doesn't really
+scale, especially in a virtualization scenario where CPUs may be
+oversubscribed: in cases where arch_get_random_seed_long() is backed
+by an instruction that actually goes back to a shared hardware entropy
+source (such as RNDRRS on ARM), we will end up hitting it hundreds of
+times per second.
+
+So let's drop the call to arch_get_random_seed_long() from
+add_interrupt_randomness(), and instead, rely on crng_reseed() to call
+the arch hook to get random seed material from the platform.
+
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Andre Przywara <andre.przywara@arm.com>
+Tested-by: Andre Przywara <andre.przywara@arm.com>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Link: https://lore.kernel.org/r/20201105152944.16953-1-ardb@kernel.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 15 +--------------
+ 1 file changed, 1 insertion(+), 14 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1279,8 +1279,6 @@ void add_interrupt_randomness(int irq, i
+ cycles_t cycles = random_get_entropy();
+ __u32 c_high, j_high;
+ __u64 ip;
+- unsigned long seed;
+- int credit = 0;
+
+ if (cycles == 0)
+ cycles = get_reg(fast_pool, regs);
+@@ -1316,23 +1314,12 @@ void add_interrupt_randomness(int irq, i
+
+ fast_pool->last = now;
+ __mix_pool_bytes(r, &fast_pool->pool, sizeof(fast_pool->pool));
+-
+- /*
+- * If we have architectural seed generator, produce a seed and
+- * add it to the pool. For the sake of paranoia don't let the
+- * architectural seed generator dominate the input from the
+- * interrupt noise.
+- */
+- if (arch_get_random_seed_long(&seed)) {
+- __mix_pool_bytes(r, &seed, sizeof(seed));
+- credit = 1;
+- }
+ spin_unlock(&r->lock);
+
+ fast_pool->count = 0;
+
+ /* award one bit for the contents of the fast pool */
+- credit_entropy_bits(r, credit + 1);
++ credit_entropy_bits(r, 1);
+ }
+ EXPORT_SYMBOL_GPL(add_interrupt_randomness);
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 7 Jun 2022 09:44:07 +0200
+Subject: random: avoid checking crng_ready() twice in random_init()
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 9b29b6b20376ab64e1b043df6301d8a92378e631 upstream.
+
+The current flow expands to:
+
+ if (crng_ready())
+ ...
+ else if (...)
+ if (!crng_ready())
+ ...
+
+The second crng_ready() call is redundant, but can't so easily be
+optimized out by the compiler.
+
+This commit simplifies that to:
+
+ if (crng_ready()
+ ...
+ else if (...)
+ ...
+
+Fixes: 560181c27b58 ("random: move initialization functions out of hot pages")
+Cc: stable@vger.kernel.org
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -834,7 +834,7 @@ int __init random_init(const char *comma
+ if (crng_ready())
+ crng_reseed();
+ else if (trust_cpu)
+- credit_init_bits(arch_bytes * 8);
++ _credit_init_bits(arch_bytes * 8);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Mon, 9 May 2022 13:40:55 +0200
+Subject: random: avoid initializing twice in credit race
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit fed7ef061686cc813b1f3d8d0edc6c35b4d3537b upstream.
+
+Since all changes of crng_init now go through credit_init_bits(), we can
+fix a long standing race in which two concurrent callers of
+credit_init_bits() have the new bit count >= some threshold, but are
+doing so with crng_init as a lower threshold, checked outside of a lock,
+resulting in crng_reseed() or similar being called twice.
+
+In order to fix this, we can use the original cmpxchg value of the bit
+count, and only change crng_init when the bit count transitions from
+below a threshold to meeting the threshold.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 48 ++++++++++++++++++++++--------------------------
+ 1 file changed, 22 insertions(+), 26 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -264,7 +264,6 @@ static void crng_reseed(void)
+ unsigned long flags;
+ unsigned long next_gen;
+ u8 key[CHACHA20_KEY_SIZE];
+- bool finalize_init = false;
+
+ extract_entropy(key, sizeof(key));
+
+@@ -281,28 +280,10 @@ static void crng_reseed(void)
+ ++next_gen;
+ WRITE_ONCE(base_crng.generation, next_gen);
+ WRITE_ONCE(base_crng.birth, jiffies);
+- if (!crng_ready()) {
++ if (!crng_ready())
+ crng_init = CRNG_READY;
+- finalize_init = true;
+- }
+ spin_unlock_irqrestore(&base_crng.lock, flags);
+ memzero_explicit(key, sizeof(key));
+- if (finalize_init) {
+- process_random_ready_list();
+- wake_up_interruptible(&crng_init_wait);
+- kill_fasync(&fasync, SIGIO, POLL_IN);
+- pr_notice("crng init done\n");
+- if (unseeded_warning.missed) {
+- pr_notice("%d get_random_xx warning(s) missed due to ratelimiting\n",
+- unseeded_warning.missed);
+- unseeded_warning.missed = 0;
+- }
+- if (urandom_warning.missed) {
+- pr_notice("%d urandom warning(s) missed due to ratelimiting\n",
+- urandom_warning.missed);
+- urandom_warning.missed = 0;
+- }
+- }
+ }
+
+ /*
+@@ -818,7 +799,7 @@ static void extract_entropy(void *buf, s
+
+ static void credit_init_bits(size_t nbits)
+ {
+- unsigned int init_bits, orig, add;
++ unsigned int new, orig, add;
+ unsigned long flags;
+
+ if (crng_ready() || !nbits)
+@@ -828,13 +809,28 @@ static void credit_init_bits(size_t nbit
+
+ do {
+ orig = READ_ONCE(input_pool.init_bits);
+- init_bits = min_t(unsigned int, POOL_BITS, orig + add);
+- } while (cmpxchg(&input_pool.init_bits, orig, init_bits) != orig);
++ new = min_t(unsigned int, POOL_BITS, orig + add);
++ } while (cmpxchg(&input_pool.init_bits, orig, new) != orig);
+
+- if (!crng_ready() && init_bits >= POOL_READY_BITS)
+- crng_reseed();
+- else if (unlikely(crng_init == CRNG_EMPTY && init_bits >= POOL_EARLY_BITS)) {
++ if (orig < POOL_READY_BITS && new >= POOL_READY_BITS) {
++ crng_reseed(); /* Sets crng_init to CRNG_READY under base_crng.lock. */
++ process_random_ready_list();
++ wake_up_interruptible(&crng_init_wait);
++ kill_fasync(&fasync, SIGIO, POLL_IN);
++ pr_notice("crng init done\n");
++ if (unseeded_warning.missed) {
++ pr_notice("%d get_random_xx warning(s) missed due to ratelimiting\n",
++ unseeded_warning.missed);
++ unseeded_warning.missed = 0;
++ }
++ if (urandom_warning.missed) {
++ pr_notice("%d urandom warning(s) missed due to ratelimiting\n",
++ urandom_warning.missed);
++ urandom_warning.missed = 0;
++ }
++ } else if (orig < POOL_EARLY_BITS && new >= POOL_EARLY_BITS) {
+ spin_lock_irqsave(&base_crng.lock, flags);
++ /* Check if crng_init is CRNG_EMPTY, to avoid race with crng_reseed(). */
+ if (crng_init == CRNG_EMPTY) {
+ extract_entropy(base_crng.key, sizeof(base_crng.key));
+ crng_init = CRNG_EARLY;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 30 Dec 2021 17:50:52 +0100
+Subject: random: avoid superfluous call to RDRAND in CRNG extraction
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 2ee25b6968b1b3c66ffa408de23d023c1bce81cf upstream.
+
+RDRAND is not fast. RDRAND is actually quite slow. We've known this for
+a while, which is why functions like get_random_u{32,64} were converted
+to use batching of our ChaCha-based CRNG instead.
+
+Yet CRNG extraction still includes a call to RDRAND, in the hot path of
+every call to get_random_bytes(), /dev/urandom, and getrandom(2).
+
+This call to RDRAND here seems quite superfluous. CRNG is already
+extracting things based on a 256-bit key, based on good entropy, which
+is then reseeded periodically, updated, backtrack-mutated, and so
+forth. The CRNG extraction construction is something that we're already
+relying on to be secure and solid. If it's not, that's a serious
+problem, and it's unlikely that mixing in a measly 32 bits from RDRAND
+is going to alleviate things.
+
+And in the case where the CRNG doesn't have enough entropy yet, we're
+already initializing the ChaCha key row with RDRAND in
+crng_init_try_arch_early().
+
+Removing the call to RDRAND improves performance on an i7-11850H by
+370%. In other words, the vast majority of the work done by
+extract_crng() prior to this commit was devoted to fetching 32 bits of
+RDRAND.
+
+Reviewed-by: Theodore Ts'o <tytso@mit.edu>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1022,7 +1022,7 @@ static void crng_reseed(struct crng_stat
+ static void _extract_crng(struct crng_state *crng,
+ __u32 out[CHACHA20_BLOCK_WORDS])
+ {
+- unsigned long v, flags, init_time;
++ unsigned long flags, init_time;
+
+ if (crng_ready()) {
+ init_time = READ_ONCE(crng->init_time);
+@@ -1032,8 +1032,6 @@ static void _extract_crng(struct crng_st
+ &input_pool : NULL);
+ }
+ spin_lock_irqsave(&crng->lock, flags);
+- if (arch_get_random_long(&v))
+- crng->state[14] ^= v;
+ chacha20_block(&crng->state[0], out);
+ if (crng->state[12] == 0)
+ crng->state[13]++;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Tue, 10 Mar 2020 12:09:12 +0000
+Subject: random: avoid warnings for !CONFIG_NUMA builds
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit ab9a7e27044b87ff2be47b8f8e095400e7fccc44 upstream.
+
+As crng_initialize_secondary() is only called by do_numa_crng_init(),
+and the latter is under ifdeffery for CONFIG_NUMA, when CONFIG_NUMA is
+not selected the compiler will warn that the former is unused:
+
+| drivers/char/random.c:820:13: warning: 'crng_initialize_secondary' defined but not used [-Wunused-function]
+| 820 | static void crng_initialize_secondary(struct crng_state *crng)
+| | ^~~~~~~~~~~~~~~~~~~~~~~~~
+
+Stephen reports that this happens for x86_64 noallconfig builds.
+
+We could move crng_initialize_secondary() and crng_init_try_arch() under
+the CONFIG_NUMA ifdeffery, but this has the unfortunate property of
+separating them from crng_initialize_primary() and
+crng_init_try_arch_early() respectively. Instead, let's mark
+crng_initialize_secondary() as __maybe_unused.
+
+Link: https://lore.kernel.org/r/20200310121747.GA49602@lakrids.cambridge.arm.com
+Fixes: 5cbe0f13b51a ("random: split primary/secondary crng init paths")
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -800,7 +800,7 @@ static bool crng_init_try_arch(struct cr
+ return arch_init;
+ }
+
+-static void crng_initialize_secondary(struct crng_state *crng)
++static void __maybe_unused crng_initialize_secondary(struct crng_state *crng)
+ {
+ memcpy(&crng->state[0], "expand 32-byte k", 16);
+ _get_random_bytes(&crng->state[4], sizeof(__u32) * 12);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 12 Feb 2022 23:57:38 +0100
+Subject: random: check for crng_init == 0 in add_device_randomness()
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 1daf2f387652bf3a7044aea042f5023b3f6b189b upstream.
+
+This has no real functional change, as crng_pre_init_inject() (and
+before that, crng_slow_init()) always checks for == 0, not >= 2. So
+correct the outer unlocked change to reflect that. Before this used
+crng_ready(), which was not correct.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1015,7 +1015,7 @@ void add_device_randomness(const void *b
+ unsigned long time = random_get_entropy() ^ jiffies;
+ unsigned long flags;
+
+- if (!crng_ready() && size)
++ if (crng_init == 0 && size)
+ crng_pre_init_inject(buf, size, false, false);
+
+ spin_lock_irqsave(&input_pool.lock, flags);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 8 Mar 2022 10:12:16 -0700
+Subject: random: check for signal and try earlier when generating entropy
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 3e504d2026eb6c8762cd6040ae57db166516824a upstream.
+
+Rather than waiting a full second in an interruptable waiter before
+trying to generate entropy, try to generate entropy first and wait
+second. While waiting one second might give an extra second for getting
+entropy from elsewhere, we're already pretty late in the init process
+here, and whatever else is generating entropy will still continue to
+contribute. This has implications on signal handling: we call
+try_to_generate_entropy() from wait_for_random_bytes(), and
+wait_for_random_bytes() always uses wait_event_interruptible_timeout()
+when waiting, since it's called by userspace code in restartable
+contexts, where signals can pend. Since try_to_generate_entropy() now
+runs first, if a signal is pending, it's necessary for
+try_to_generate_entropy() to check for signals, since it won't hit the
+wait until after try_to_generate_entropy() has returned. And even before
+this change, when entering a busy loop in try_to_generate_entropy(), we
+should have been checking to see if any signals are pending, so that a
+process doesn't get stuck in that loop longer than expected.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -127,10 +127,11 @@ int wait_for_random_bytes(void)
+ {
+ while (!crng_ready()) {
+ int ret;
++
++ try_to_generate_entropy();
+ ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ);
+ if (ret)
+ return ret > 0 ? 0 : ret;
+- try_to_generate_entropy();
+ }
+ return 0;
+ }
+@@ -1366,7 +1367,7 @@ static void try_to_generate_entropy(void
+ return;
+
+ __setup_timer_on_stack(&stack.timer, entropy_timer, 0, 0);
+- while (!crng_ready()) {
++ while (!crng_ready() && !signal_pending(current)) {
+ if (!timer_pending(&stack.timer))
+ mod_timer(&stack.timer, jiffies + 1);
+ mix_pool_bytes(&stack.cycles, sizeof(stack.cycles));
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Jann Horn <jannh@google.com>
+Date: Tue, 5 Apr 2022 18:39:31 +0200
+Subject: random: check for signal_pending() outside of need_resched() check
+
+From: Jann Horn <jannh@google.com>
+
+commit 1448769c9cdb69ad65287f4f7ab58bc5f2f5d7ba upstream.
+
+signal_pending() checks TIF_NOTIFY_SIGNAL and TIF_SIGPENDING, which
+signal that the task should bail out of the syscall when possible. This
+is a separate concept from need_resched(), which checks
+TIF_NEED_RESCHED, signaling that the task should preempt.
+
+In particular, with the current code, the signal_pending() bailout
+probably won't work reliably.
+
+Change this to look like other functions that read lots of data, such as
+read_zero().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -549,13 +549,13 @@ static ssize_t get_random_bytes_user(voi
+ }
+
+ do {
+- if (large_request && need_resched()) {
++ if (large_request) {
+ if (signal_pending(current)) {
+ if (!ret)
+ ret = -ERESTARTSYS;
+ break;
+ }
+- schedule();
++ cond_resched();
+ }
+
+ chacha20_block(chacha_state, output);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 22 May 2022 22:25:41 +0200
+Subject: random: check for signals after page of pool writes
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 1ce6c8d68f8ac587f54d0a271ac594d3d51f3efb upstream.
+
+get_random_bytes_user() checks for signals after producing a PAGE_SIZE
+worth of output, just like /dev/zero does. write_pool() is doing
+basically the same work (actually, slightly more expensive), and so
+should stop to check for signals in the same way. Let's also name it
+write_pool_user() to match get_random_bytes_user(), so this won't be
+misused in the future.
+
+Before this patch, massive writes to /dev/urandom would tie up the
+process for an extremely long time and make it unterminatable. After, it
+can be successfully interrupted. The following test program can be used
+to see this works as intended:
+
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <signal.h>
+ #include <stdio.h>
+
+ static unsigned char x[~0U];
+
+ static void handle(int) { }
+
+ int main(int argc, char *argv[])
+ {
+ pid_t pid = getpid(), child;
+ int fd;
+ signal(SIGUSR1, handle);
+ if (!(child = fork())) {
+ for (;;)
+ kill(pid, SIGUSR1);
+ }
+ fd = open("/dev/urandom", O_WRONLY);
+ pause();
+ printf("interrupted after writing %zd bytes\n", write(fd, x, sizeof(x)));
+ close(fd);
+ kill(child, SIGTERM);
+ return 0;
+ }
+
+Result before: "interrupted after writing 2147479552 bytes"
+Result after: "interrupted after writing 4096 bytes"
+
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1251,7 +1251,7 @@ static unsigned int random_poll(struct f
+ return crng_ready() ? POLLIN | POLLRDNORM : POLLOUT | POLLWRNORM;
+ }
+
+-static ssize_t write_pool(struct iov_iter *iter)
++static ssize_t write_pool_user(struct iov_iter *iter)
+ {
+ u8 block[BLAKE2S_BLOCK_SIZE];
+ ssize_t ret = 0;
+@@ -1266,7 +1266,13 @@ static ssize_t write_pool(struct iov_ite
+ mix_pool_bytes(block, copied);
+ if (!iov_iter_count(iter) || copied != sizeof(block))
+ break;
+- cond_resched();
++
++ BUILD_BUG_ON(PAGE_SIZE % sizeof(block) != 0);
++ if (ret % PAGE_SIZE == 0) {
++ if (signal_pending(current))
++ break;
++ cond_resched();
++ }
+ }
+
+ memzero_explicit(block, sizeof(block));
+@@ -1275,7 +1281,7 @@ static ssize_t write_pool(struct iov_ite
+
+ static ssize_t random_write_iter(struct kiocb *kiocb, struct iov_iter *iter)
+ {
+- return write_pool(iter);
++ return write_pool_user(iter);
+ }
+
+ static ssize_t urandom_read_iter(struct kiocb *kiocb, struct iov_iter *iter)
+@@ -1342,7 +1348,7 @@ static long random_ioctl(struct file *f,
+ ret = import_single_range(WRITE, p, len, &iov, &iter);
+ if (unlikely(ret))
+ return ret;
+- ret = write_pool(&iter);
++ ret = write_pool_user(&iter);
+ if (unlikely(ret < 0))
+ return ret;
+ /* Since we're crediting, enforce that it was all written into the pool. */
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 6 Apr 2022 02:36:16 +0200
+Subject: random: check for signals every PAGE_SIZE chunk of /dev/[u]random
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit e3c1c4fd9e6d14059ed93ebfe15e1c57793b1a05 upstream.
+
+In 1448769c9cdb ("random: check for signal_pending() outside of
+need_resched() check"), Jann pointed out that we previously were only
+checking the TIF_NOTIFY_SIGNAL and TIF_SIGPENDING flags if the process
+had TIF_NEED_RESCHED set, which meant in practice, super long reads to
+/dev/[u]random would delay signal handling by a long time. I tried this
+using the below program, and indeed I wasn't able to interrupt a
+/dev/urandom read until after several megabytes had been read. The bug
+he fixed has always been there, and so code that reads from /dev/urandom
+without checking the return value of read() has mostly worked for a long
+time, for most sizes, not just for <= 256.
+
+Maybe it makes sense to keep that code working. The reason it was so
+small prior, ignoring the fact that it didn't work anyway, was likely
+because /dev/random used to block, and that could happen for pretty
+large lengths of time while entropy was gathered. But now, it's just a
+chacha20 call, which is extremely fast and is just operating on pure
+data, without having to wait for some external event. In that sense,
+/dev/[u]random is a lot more like /dev/zero.
+
+Taking a page out of /dev/zero's read_zero() function, it always returns
+at least one chunk, and then checks for signals after each chunk. Chunk
+sizes there are of length PAGE_SIZE. Let's just copy the same thing for
+/dev/[u]random, and check for signals and cond_resched() for every
+PAGE_SIZE amount of data. This makes the behavior more consistent with
+expectations, and should mitigate the impact of Jann's fix for the
+age-old signal check bug.
+
+---- test program ----
+
+ #include <unistd.h>
+ #include <signal.h>
+ #include <stdio.h>
+ #include <sys/random.h>
+
+ static unsigned char x[~0U];
+
+ static void handle(int) { }
+
+ int main(int argc, char *argv[])
+ {
+ pid_t pid = getpid(), child;
+ signal(SIGUSR1, handle);
+ if (!(child = fork())) {
+ for (;;)
+ kill(pid, SIGUSR1);
+ }
+ pause();
+ printf("interrupted after reading %zd bytes\n", getrandom(x, sizeof(x), 0));
+ kill(child, SIGTERM);
+ return 0;
+ }
+
+Cc: Jann Horn <jannh@google.com>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 41 ++++++++++++++++++++---------------------
+ 1 file changed, 20 insertions(+), 21 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -523,9 +523,7 @@ EXPORT_SYMBOL(get_random_bytes);
+
+ static ssize_t get_random_bytes_user(void __user *buf, size_t nbytes)
+ {
+- bool large_request = nbytes > 256;
+- ssize_t ret = 0;
+- size_t len;
++ size_t len, left, ret = 0;
+ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)];
+ u8 output[CHACHA20_BLOCK_SIZE];
+
+@@ -537,46 +535,47 @@ static ssize_t get_random_bytes_user(voi
+ * bytes, in case userspace causes copy_to_user() below to sleep
+ * forever, so that we still retain forward secrecy in that case.
+ */
+- crng_make_state(chacha_state, (u8 *)&chacha_state[4], CHACHA_KEY_SIZE);
++ crng_make_state(chacha_state, (u8 *)&chacha_state[4], CHACHA20_KEY_SIZE);
+ /*
+ * However, if we're doing a read of len <= 32, we don't need to
+ * use chacha_state after, so we can simply return those bytes to
+ * the user directly.
+ */
+- if (nbytes <= CHACHA_KEY_SIZE) {
+- ret = copy_to_user(buf, &chacha_state[4], nbytes) ? -EFAULT : nbytes;
++ if (nbytes <= CHACHA20_KEY_SIZE) {
++ ret = nbytes - copy_to_user(buf, &chacha_state[4], nbytes);
+ goto out_zero_chacha;
+ }
+
+- do {
+- if (large_request) {
+- if (signal_pending(current)) {
+- if (!ret)
+- ret = -ERESTARTSYS;
+- break;
+- }
+- cond_resched();
+- }
+-
++ for (;;) {
+ chacha20_block(chacha_state, output);
+ if (unlikely(chacha_state[12] == 0))
+ ++chacha_state[13];
+
+ len = min_t(size_t, nbytes, CHACHA20_BLOCK_SIZE);
+- if (copy_to_user(buf, output, len)) {
+- ret = -EFAULT;
++ left = copy_to_user(buf, output, len);
++ if (left) {
++ ret += len - left;
+ break;
+ }
+
+- nbytes -= len;
+ buf += len;
+ ret += len;
+- } while (nbytes);
++ nbytes -= len;
++ if (!nbytes)
++ break;
++
++ BUILD_BUG_ON(PAGE_SIZE % CHACHA20_BLOCK_SIZE != 0);
++ if (ret % PAGE_SIZE == 0) {
++ if (signal_pending(current))
++ break;
++ cond_resched();
++ }
++ }
+
+ memzero_explicit(output, sizeof(output));
+ out_zero_chacha:
+ memzero_explicit(chacha_state, sizeof(chacha_state));
+- return ret;
++ return ret ? ret : -EFAULT;
+ }
+
+ /*
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 13 Jan 2022 18:18:48 +0100
+Subject: random: cleanup fractional entropy shift constants
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 18263c4e8e62f7329f38f5eadc568751242ca89c upstream.
+
+The entropy estimator is calculated in terms of 1/8 bits, which means
+there are various constants where things are shifted by 3. Move these
+into our pool info enum with the other relevant constants. While we're
+at it, move an English assertion about sizes into a proper BUILD_BUG_ON
+so that the compiler can ensure this invariant.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 28 +++++++++++++---------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -359,16 +359,6 @@
+ /* #define ADD_INTERRUPT_BENCH */
+
+ /*
+- * To allow fractional bits to be tracked, the entropy_count field is
+- * denominated in units of 1/8th bits.
+- *
+- * 2*(POOL_ENTROPY_SHIFT + poolbitshift) must <= 31, or the multiply in
+- * credit_entropy_bits() needs to be 64 bits wide.
+- */
+-#define POOL_ENTROPY_SHIFT 3
+-#define POOL_ENTROPY_BITS() (input_pool.entropy_count >> POOL_ENTROPY_SHIFT)
+-
+-/*
+ * If the entropy count falls under this number of bits, then we
+ * should wake up processes which are selecting or polling on write
+ * access to /dev/random.
+@@ -425,8 +415,13 @@ enum poolinfo {
+ POOL_WORDMASK = POOL_WORDS - 1,
+ POOL_BYTES = POOL_WORDS * sizeof(u32),
+ POOL_BITS = POOL_BYTES * 8,
+- POOL_BITSHIFT = ilog2(POOL_WORDS) + 5,
+- POOL_FRACBITS = POOL_WORDS << (POOL_ENTROPY_SHIFT + 5),
++ POOL_BITSHIFT = ilog2(POOL_BITS),
++
++ /* To allow fractional bits to be tracked, the entropy_count field is
++ * denominated in units of 1/8th bits. */
++ POOL_ENTROPY_SHIFT = 3,
++#define POOL_ENTROPY_BITS() (input_pool.entropy_count >> POOL_ENTROPY_SHIFT)
++ POOL_FRACBITS = POOL_BITS << POOL_ENTROPY_SHIFT,
+
+ /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */
+ POOL_TAP1 = 104,
+@@ -652,6 +647,9 @@ static void credit_entropy_bits(int nbit
+ int entropy_count, entropy_bits, orig;
+ int nfrac = nbits << POOL_ENTROPY_SHIFT;
+
++ /* Ensure that the multiplication can avoid being 64 bits wide. */
++ BUILD_BUG_ON(2 * (POOL_ENTROPY_SHIFT + POOL_BITSHIFT) > 31);
++
+ if (!nbits)
+ return;
+
+@@ -687,13 +685,13 @@ retry:
+ /* The +2 corresponds to the /4 in the denominator */
+
+ do {
+- unsigned int anfrac = min(pnfrac, POOL_FRACBITS/2);
++ unsigned int anfrac = min(pnfrac, POOL_FRACBITS / 2);
+ unsigned int add =
+- ((POOL_FRACBITS - entropy_count)*anfrac*3) >> s;
++ ((POOL_FRACBITS - entropy_count) * anfrac * 3) >> s;
+
+ entropy_count += add;
+ pnfrac -= anfrac;
+- } while (unlikely(entropy_count < POOL_FRACBITS-2 && pnfrac));
++ } while (unlikely(entropy_count < POOL_FRACBITS - 2 && pnfrac));
+ }
+
+ if (WARN_ON(entropy_count < 0)) {
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 9 Jan 2022 17:48:58 +0100
+Subject: random: cleanup integer types
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit d38bb0853589c939573ea50e9cb64f733e0e273d upstream.
+
+Rather than using the userspace type, __uXX, switch to using uXX. And
+rather than using variously chosen `char *` or `unsigned char *`, use
+`u8 *` uniformly for things that aren't strings, in the case where we
+are doing byte-by-byte traversal.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 114 +++++++++++++++++++++++++-------------------------
+ 1 file changed, 57 insertions(+), 57 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -457,7 +457,7 @@ static DEFINE_SPINLOCK(random_ready_list
+ static LIST_HEAD(random_ready_list);
+
+ struct crng_state {
+- __u32 state[16];
++ u32 state[16];
+ unsigned long init_time;
+ spinlock_t lock;
+ };
+@@ -484,10 +484,9 @@ static bool crng_need_final_init = false
+ static int crng_init_cnt = 0;
+ static unsigned long crng_global_init_time = 0;
+ #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE)
+-static void _extract_crng(struct crng_state *crng,
+- __u8 out[CHACHA20_BLOCK_SIZE]);
++static void _extract_crng(struct crng_state *crng, u8 out[CHACHA20_BLOCK_SIZE]);
+ static void _crng_backtrack_protect(struct crng_state *crng,
+- __u8 tmp[CHACHA20_BLOCK_SIZE], int used);
++ u8 tmp[CHACHA20_BLOCK_SIZE], int used);
+ static void process_random_ready_list(void);
+ static void _get_random_bytes(void *buf, int nbytes);
+
+@@ -511,16 +510,16 @@ MODULE_PARM_DESC(ratelimit_disable, "Dis
+ struct entropy_store;
+ struct entropy_store {
+ /* read-only data: */
+- __u32 *pool;
++ u32 *pool;
+ const char *name;
+
+ /* read-write data: */
+ spinlock_t lock;
+- unsigned short add_ptr;
+- unsigned short input_rotate;
++ u16 add_ptr;
++ u16 input_rotate;
+ int entropy_count;
+ unsigned int last_data_init:1;
+- __u8 last_data[EXTRACT_SIZE];
++ u8 last_data[EXTRACT_SIZE];
+ };
+
+ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+@@ -529,7 +528,7 @@ static ssize_t _extract_entropy(struct e
+ size_t nbytes, int fips);
+
+ static void crng_reseed(struct crng_state *crng, struct entropy_store *r);
+-static __u32 input_pool_data[INPUT_POOL_WORDS] __latent_entropy;
++static u32 input_pool_data[INPUT_POOL_WORDS] __latent_entropy;
+
+ static struct entropy_store input_pool = {
+ .name = "input",
+@@ -537,7 +536,7 @@ static struct entropy_store input_pool =
+ .pool = input_pool_data
+ };
+
+-static __u32 const twist_table[8] = {
++static u32 const twist_table[8] = {
+ 0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
+ 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };
+
+@@ -556,8 +555,8 @@ static void _mix_pool_bytes(struct entro
+ {
+ unsigned long i;
+ int input_rotate;
+- const unsigned char *bytes = in;
+- __u32 w;
++ const u8 *bytes = in;
++ u32 w;
+
+ input_rotate = r->input_rotate;
+ i = r->add_ptr;
+@@ -610,10 +609,10 @@ static void mix_pool_bytes(struct entrop
+ }
+
+ struct fast_pool {
+- __u32 pool[4];
++ u32 pool[4];
+ unsigned long last;
+- unsigned short reg_idx;
+- unsigned char count;
++ u16 reg_idx;
++ u8 count;
+ };
+
+ /*
+@@ -623,8 +622,8 @@ struct fast_pool {
+ */
+ static void fast_mix(struct fast_pool *f)
+ {
+- __u32 a = f->pool[0], b = f->pool[1];
+- __u32 c = f->pool[2], d = f->pool[3];
++ u32 a = f->pool[0], b = f->pool[1];
++ u32 c = f->pool[2], d = f->pool[3];
+
+ a += b; c += d;
+ b = rol32(b, 6); d = rol32(d, 27);
+@@ -815,14 +814,14 @@ static bool __init crng_init_try_arch_ea
+ static void crng_initialize_secondary(struct crng_state *crng)
+ {
+ chacha_init_consts(crng->state);
+- _get_random_bytes(&crng->state[4], sizeof(__u32) * 12);
++ _get_random_bytes(&crng->state[4], sizeof(u32) * 12);
+ crng_init_try_arch(crng);
+ crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+ }
+
+ static void __init crng_initialize_primary(struct crng_state *crng)
+ {
+- _extract_entropy(&input_pool, &crng->state[4], sizeof(__u32) * 12, 0);
++ _extract_entropy(&input_pool, &crng->state[4], sizeof(u32) * 12, 0);
+ if (crng_init_try_arch_early(crng) && trust_cpu && crng_init < 2) {
+ invalidate_batched_entropy();
+ numa_crng_init();
+@@ -909,12 +908,14 @@ static struct crng_state *select_crng(vo
+
+ /*
+ * crng_fast_load() can be called by code in the interrupt service
+- * path. So we can't afford to dilly-dally.
++ * path. So we can't afford to dilly-dally. Returns the number of
++ * bytes processed from cp.
+ */
+-static int crng_fast_load(const char *cp, size_t len)
++static size_t crng_fast_load(const u8 *cp, size_t len)
+ {
+ unsigned long flags;
+- char *p;
++ u8 *p;
++ size_t ret = 0;
+
+ if (!spin_trylock_irqsave(&primary_crng.lock, flags))
+ return 0;
+@@ -922,10 +923,10 @@ static int crng_fast_load(const char *cp
+ spin_unlock_irqrestore(&primary_crng.lock, flags);
+ return 0;
+ }
+- p = (unsigned char *) &primary_crng.state[4];
++ p = (u8 *) &primary_crng.state[4];
+ while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) {
+ p[crng_init_cnt % CHACHA20_KEY_SIZE] ^= *cp;
+- cp++; crng_init_cnt++; len--;
++ cp++; crng_init_cnt++; len--; ret++;
+ }
+ spin_unlock_irqrestore(&primary_crng.lock, flags);
+ if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
+@@ -933,7 +934,7 @@ static int crng_fast_load(const char *cp
+ crng_init = 1;
+ pr_notice("fast init done\n");
+ }
+- return 1;
++ return ret;
+ }
+
+ /*
+@@ -950,14 +951,14 @@ static int crng_fast_load(const char *cp
+ * like a fixed DMI table (for example), which might very well be
+ * unique to the machine, but is otherwise unvarying.
+ */
+-static int crng_slow_load(const char *cp, size_t len)
++static int crng_slow_load(const u8 *cp, size_t len)
+ {
+ unsigned long flags;
+- static unsigned char lfsr = 1;
+- unsigned char tmp;
+- unsigned i, max = CHACHA20_KEY_SIZE;
+- const char * src_buf = cp;
+- char * dest_buf = (char *) &primary_crng.state[4];
++ static u8 lfsr = 1;
++ u8 tmp;
++ unsigned int i, max = CHACHA20_KEY_SIZE;
++ const u8 * src_buf = cp;
++ u8 * dest_buf = (u8 *) &primary_crng.state[4];
+
+ if (!spin_trylock_irqsave(&primary_crng.lock, flags))
+ return 0;
+@@ -986,8 +987,8 @@ static void crng_reseed(struct crng_stat
+ unsigned long flags;
+ int i, num;
+ union {
+- __u8 block[CHACHA20_BLOCK_SIZE];
+- __u32 key[8];
++ u8 block[CHACHA20_BLOCK_SIZE];
++ u32 key[8];
+ } buf;
+
+ if (r) {
+@@ -1014,7 +1015,7 @@ static void crng_reseed(struct crng_stat
+ }
+
+ static void _extract_crng(struct crng_state *crng,
+- __u8 out[CHACHA20_BLOCK_SIZE])
++ u8 out[CHACHA20_BLOCK_SIZE])
+ {
+ unsigned long flags, init_time;
+
+@@ -1032,7 +1033,7 @@ static void _extract_crng(struct crng_st
+ spin_unlock_irqrestore(&crng->lock, flags);
+ }
+
+-static void extract_crng(__u8 out[CHACHA20_BLOCK_SIZE])
++static void extract_crng(u8 out[CHACHA20_BLOCK_SIZE])
+ {
+ _extract_crng(select_crng(), out);
+ }
+@@ -1042,26 +1043,26 @@ static void extract_crng(__u8 out[CHACHA
+ * enough) to mutate the CRNG key to provide backtracking protection.
+ */
+ static void _crng_backtrack_protect(struct crng_state *crng,
+- __u8 tmp[CHACHA20_BLOCK_SIZE], int used)
++ u8 tmp[CHACHA20_BLOCK_SIZE], int used)
+ {
+ unsigned long flags;
+- __u32 *s, *d;
++ u32 *s, *d;
+ int i;
+
+- used = round_up(used, sizeof(__u32));
++ used = round_up(used, sizeof(u32));
+ if (used + CHACHA20_KEY_SIZE > CHACHA20_BLOCK_SIZE) {
+ extract_crng(tmp);
+ used = 0;
+ }
+ spin_lock_irqsave(&crng->lock, flags);
+- s = (__u32 *) &tmp[used];
++ s = (u32 *) &tmp[used];
+ d = &crng->state[4];
+ for (i=0; i < 8; i++)
+ *d++ ^= *s++;
+ spin_unlock_irqrestore(&crng->lock, flags);
+ }
+
+-static void crng_backtrack_protect(__u8 tmp[CHACHA20_BLOCK_SIZE], int used)
++static void crng_backtrack_protect(u8 tmp[CHACHA20_BLOCK_SIZE], int used)
+ {
+ _crng_backtrack_protect(select_crng(), tmp, used);
+ }
+@@ -1069,7 +1070,7 @@ static void crng_backtrack_protect(__u8
+ static ssize_t extract_crng_user(void __user *buf, size_t nbytes)
+ {
+ ssize_t ret = 0, i = CHACHA20_BLOCK_SIZE;
+- __u8 tmp[CHACHA20_BLOCK_SIZE] __aligned(4);
++ u8 tmp[CHACHA20_BLOCK_SIZE] __aligned(4);
+ int large_request = (nbytes > 256);
+
+ while (nbytes) {
+@@ -1157,8 +1158,8 @@ static void add_timer_randomness(struct
+ struct entropy_store *r;
+ struct {
+ long jiffies;
+- unsigned cycles;
+- unsigned num;
++ unsigned int cycles;
++ unsigned int num;
+ } sample;
+ long delta, delta2, delta3;
+
+@@ -1240,15 +1241,15 @@ static void add_interrupt_bench(cycles_t
+ #define add_interrupt_bench(x)
+ #endif
+
+-static __u32 get_reg(struct fast_pool *f, struct pt_regs *regs)
++static u32 get_reg(struct fast_pool *f, struct pt_regs *regs)
+ {
+- __u32 *ptr = (__u32 *) regs;
++ u32 *ptr = (u32 *) regs;
+ unsigned int idx;
+
+ if (regs == NULL)
+ return 0;
+ idx = READ_ONCE(f->reg_idx);
+- if (idx >= sizeof(struct pt_regs) / sizeof(__u32))
++ if (idx >= sizeof(struct pt_regs) / sizeof(u32))
+ idx = 0;
+ ptr += idx++;
+ WRITE_ONCE(f->reg_idx, idx);
+@@ -1262,8 +1263,8 @@ void add_interrupt_randomness(int irq)
+ struct pt_regs *regs = get_irq_regs();
+ unsigned long now = jiffies;
+ cycles_t cycles = random_get_entropy();
+- __u32 c_high, j_high;
+- __u64 ip;
++ u32 c_high, j_high;
++ u64 ip;
+
+ if (cycles == 0)
+ cycles = get_reg(fast_pool, regs);
+@@ -1281,8 +1282,7 @@ void add_interrupt_randomness(int irq)
+
+ if (unlikely(crng_init == 0)) {
+ if ((fast_pool->count >= 64) &&
+- crng_fast_load((char *) fast_pool->pool,
+- sizeof(fast_pool->pool))) {
++ crng_fast_load((u8 *)fast_pool->pool, sizeof(fast_pool->pool)) > 0) {
+ fast_pool->count = 0;
+ fast_pool->last = now;
+ }
+@@ -1379,7 +1379,7 @@ retry:
+ *
+ * Note: we assume that .poolwords is a multiple of 16 words.
+ */
+-static void extract_buf(struct entropy_store *r, __u8 *out)
++static void extract_buf(struct entropy_store *r, u8 *out)
+ {
+ struct blake2s_state state __aligned(__alignof__(unsigned long));
+ u8 hash[BLAKE2S_HASH_SIZE];
+@@ -1429,7 +1429,7 @@ static ssize_t _extract_entropy(struct e
+ size_t nbytes, int fips)
+ {
+ ssize_t ret = 0, i;
+- __u8 tmp[EXTRACT_SIZE];
++ u8 tmp[EXTRACT_SIZE];
+ unsigned long flags;
+
+ while (nbytes) {
+@@ -1467,7 +1467,7 @@ static ssize_t _extract_entropy(struct e
+ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+ size_t nbytes, int min, int reserved)
+ {
+- __u8 tmp[EXTRACT_SIZE];
++ u8 tmp[EXTRACT_SIZE];
+ unsigned long flags;
+
+ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
+@@ -1529,7 +1529,7 @@ static void _warn_unseeded_randomness(co
+ */
+ static void _get_random_bytes(void *buf, int nbytes)
+ {
+- __u8 tmp[CHACHA20_BLOCK_SIZE] __aligned(4);
++ u8 tmp[CHACHA20_BLOCK_SIZE] __aligned(4);
+
+ trace_get_random_bytes(nbytes, _RET_IP_);
+
+@@ -1663,7 +1663,7 @@ EXPORT_SYMBOL(del_random_ready_callback)
+ int __must_check get_random_bytes_arch(void *buf, int nbytes)
+ {
+ int left = nbytes;
+- char *p = buf;
++ u8 *p = buf;
+
+ trace_get_random_bytes_arch(left, _RET_IP_);
+ while (left) {
+@@ -1805,7 +1805,7 @@ static int
+ write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
+ {
+ size_t bytes;
+- __u32 t, buf[16];
++ u32 t, buf[16];
+ const char __user *p = buffer;
+
+ while (count > 0) {
+@@ -1815,7 +1815,7 @@ write_pool(struct entropy_store *r, cons
+ if (copy_from_user(&buf, p, bytes))
+ return -EFAULT;
+
+- for (b = bytes ; b > 0 ; b -= sizeof(__u32), i++) {
++ for (b = bytes; b > 0; b -= sizeof(u32), i++) {
+ if (!arch_get_random_int(&t))
+ break;
+ buf[i] ^= t;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 9 Jan 2022 17:32:02 +0100
+Subject: random: cleanup poolinfo abstraction
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 91ec0fe138f107232cb36bc6112211db37cb5306 upstream.
+
+Now that we're only using one polynomial, we can cleanup its
+representation into constants, instead of passing around pointers
+dynamically to select different polynomials. This improves the codegen
+and makes the code a bit more straightforward.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 67 ++++++++++++++++++++++----------------------------
+ 1 file changed, 30 insertions(+), 37 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -431,14 +431,20 @@ static int random_write_wakeup_bits = 28
+ * polynomial which improves the resulting TGFSR polynomial to be
+ * irreducible, which we have made here.
+ */
+-static const struct poolinfo {
+- int poolbitshift, poolwords, poolbytes, poolfracbits;
+-#define S(x) ilog2(x)+5, (x), (x)*4, (x) << (ENTROPY_SHIFT+5)
+- int tap1, tap2, tap3, tap4, tap5;
+-} poolinfo_table[] = {
+- /* was: x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 */
++enum poolinfo {
++ POOL_WORDS = 128,
++ POOL_WORDMASK = POOL_WORDS - 1,
++ POOL_BYTES = POOL_WORDS * sizeof(u32),
++ POOL_BITS = POOL_BYTES * 8,
++ POOL_BITSHIFT = ilog2(POOL_WORDS) + 5,
++ POOL_FRACBITS = POOL_WORDS << (ENTROPY_SHIFT + 5),
++
+ /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */
+- { S(128), 104, 76, 51, 25, 1 },
++ POOL_TAP1 = 104,
++ POOL_TAP2 = 76,
++ POOL_TAP3 = 51,
++ POOL_TAP4 = 25,
++ POOL_TAP5 = 1
+ };
+
+ /*
+@@ -505,7 +511,6 @@ MODULE_PARM_DESC(ratelimit_disable, "Dis
+ struct entropy_store;
+ struct entropy_store {
+ /* read-only data: */
+- const struct poolinfo *poolinfo;
+ __u32 *pool;
+ const char *name;
+
+@@ -527,7 +532,6 @@ static void crng_reseed(struct crng_stat
+ static __u32 input_pool_data[INPUT_POOL_WORDS] __latent_entropy;
+
+ static struct entropy_store input_pool = {
+- .poolinfo = &poolinfo_table[0],
+ .name = "input",
+ .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
+ .pool = input_pool_data
+@@ -550,33 +554,26 @@ static __u32 const twist_table[8] = {
+ static void _mix_pool_bytes(struct entropy_store *r, const void *in,
+ int nbytes)
+ {
+- unsigned long i, tap1, tap2, tap3, tap4, tap5;
++ unsigned long i;
+ int input_rotate;
+- int wordmask = r->poolinfo->poolwords - 1;
+ const unsigned char *bytes = in;
+ __u32 w;
+
+- tap1 = r->poolinfo->tap1;
+- tap2 = r->poolinfo->tap2;
+- tap3 = r->poolinfo->tap3;
+- tap4 = r->poolinfo->tap4;
+- tap5 = r->poolinfo->tap5;
+-
+ input_rotate = r->input_rotate;
+ i = r->add_ptr;
+
+ /* mix one byte at a time to simplify size handling and churn faster */
+ while (nbytes--) {
+ w = rol32(*bytes++, input_rotate);
+- i = (i - 1) & wordmask;
++ i = (i - 1) & POOL_WORDMASK;
+
+ /* XOR in the various taps */
+ w ^= r->pool[i];
+- w ^= r->pool[(i + tap1) & wordmask];
+- w ^= r->pool[(i + tap2) & wordmask];
+- w ^= r->pool[(i + tap3) & wordmask];
+- w ^= r->pool[(i + tap4) & wordmask];
+- w ^= r->pool[(i + tap5) & wordmask];
++ w ^= r->pool[(i + POOL_TAP1) & POOL_WORDMASK];
++ w ^= r->pool[(i + POOL_TAP2) & POOL_WORDMASK];
++ w ^= r->pool[(i + POOL_TAP3) & POOL_WORDMASK];
++ w ^= r->pool[(i + POOL_TAP4) & POOL_WORDMASK];
++ w ^= r->pool[(i + POOL_TAP5) & POOL_WORDMASK];
+
+ /* Mix the result back in with a twist */
+ r->pool[i] = (w >> 3) ^ twist_table[w & 7];
+@@ -674,7 +671,6 @@ static void process_random_ready_list(vo
+ static void credit_entropy_bits(struct entropy_store *r, int nbits)
+ {
+ int entropy_count, orig;
+- const int pool_size = r->poolinfo->poolfracbits;
+ int nfrac = nbits << ENTROPY_SHIFT;
+
+ if (!nbits)
+@@ -708,25 +704,25 @@ retry:
+ * turns no matter how large nbits is.
+ */
+ int pnfrac = nfrac;
+- const int s = r->poolinfo->poolbitshift + ENTROPY_SHIFT + 2;
++ const int s = POOL_BITSHIFT + ENTROPY_SHIFT + 2;
+ /* The +2 corresponds to the /4 in the denominator */
+
+ do {
+- unsigned int anfrac = min(pnfrac, pool_size/2);
++ unsigned int anfrac = min(pnfrac, POOL_FRACBITS/2);
+ unsigned int add =
+- ((pool_size - entropy_count)*anfrac*3) >> s;
++ ((POOL_FRACBITS - entropy_count)*anfrac*3) >> s;
+
+ entropy_count += add;
+ pnfrac -= anfrac;
+- } while (unlikely(entropy_count < pool_size-2 && pnfrac));
++ } while (unlikely(entropy_count < POOL_FRACBITS-2 && pnfrac));
+ }
+
+ if (WARN_ON(entropy_count < 0)) {
+ pr_warn("negative entropy/overflow: pool %s count %d\n",
+ r->name, entropy_count);
+ entropy_count = 0;
+- } else if (entropy_count > pool_size)
+- entropy_count = pool_size;
++ } else if (entropy_count > POOL_FRACBITS)
++ entropy_count = POOL_FRACBITS;
+ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
+ goto retry;
+
+@@ -743,13 +739,11 @@ retry:
+
+ static int credit_entropy_bits_safe(struct entropy_store *r, int nbits)
+ {
+- const int nbits_max = r->poolinfo->poolwords * 32;
+-
+ if (nbits < 0)
+ return -EINVAL;
+
+ /* Cap the value to avoid overflows */
+- nbits = min(nbits, nbits_max);
++ nbits = min(nbits, POOL_BITS);
+
+ credit_entropy_bits(r, nbits);
+ return 0;
+@@ -1342,7 +1336,7 @@ static size_t account(struct entropy_sto
+ int entropy_count, orig, have_bytes;
+ size_t ibytes, nfrac;
+
+- BUG_ON(r->entropy_count > r->poolinfo->poolfracbits);
++ BUG_ON(r->entropy_count > POOL_FRACBITS);
+
+ /* Can we pull enough? */
+ retry:
+@@ -1408,8 +1402,7 @@ static void extract_buf(struct entropy_s
+
+ /* Generate a hash across the pool */
+ spin_lock_irqsave(&r->lock, flags);
+- blake2s_update(&state, (const u8 *)r->pool,
+- r->poolinfo->poolwords * sizeof(*r->pool));
++ blake2s_update(&state, (const u8 *)r->pool, POOL_BYTES);
+ blake2s_final(&state, hash); /* final zeros out state */
+
+ /*
+@@ -1705,7 +1698,7 @@ static void __init init_std_data(struct
+ unsigned long rv;
+
+ mix_pool_bytes(r, &now, sizeof(now));
+- for (i = r->poolinfo->poolbytes; i > 0; i -= sizeof(rv)) {
++ for (i = POOL_BYTES; i > 0; i -= sizeof(rv)) {
+ if (!arch_get_random_seed_long(&rv) &&
+ !arch_get_random_long(&rv))
+ rv = random_get_entropy();
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 24 Feb 2022 23:04:56 +0100
+Subject: random: cleanup UUID handling
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 64276a9939ff414f2f0db38036cf4e1a0a703394 upstream.
+
+Rather than hard coding various lengths, we can use the right constants.
+Strings should be `char *` while buffers should be `u8 *`. Rather than
+have a nonsensical and unused maxlength, just remove it. Finally, use
+snprintf instead of sprintf, just out of good hygiene.
+
+As well, remove the old comment about returning a binary UUID via the
+binary sysctl syscall. That syscall was removed from the kernel in 5.5,
+and actually, the "uuid_strategy" function and related infrastructure
+for even serving it via the binary sysctl syscall was removed with
+894d2491153a ("sysctl drivers: Remove dead binary sysctl support") back
+in 2.6.33.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 29 +++++++++++++----------------
+ 1 file changed, 13 insertions(+), 16 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1654,22 +1654,25 @@ const struct file_operations urandom_fop
+ static int sysctl_random_min_urandom_seed = 60;
+ static int sysctl_random_write_wakeup_bits = POOL_MIN_BITS;
+ static int sysctl_poolsize = POOL_BITS;
+-static char sysctl_bootid[16];
++static u8 sysctl_bootid[UUID_SIZE];
+
+ /*
+ * This function is used to return both the bootid UUID, and random
+- * UUID. The difference is in whether table->data is NULL; if it is,
++ * UUID. The difference is in whether table->data is NULL; if it is,
+ * then a new UUID is generated and returned to the user.
+- *
+- * If the user accesses this via the proc interface, the UUID will be
+- * returned as an ASCII string in the standard UUID format; if via the
+- * sysctl system call, as 16 bytes of binary data.
+ */
+ static int proc_do_uuid(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+ {
+- struct ctl_table fake_table;
+- unsigned char buf[64], tmp_uuid[16], *uuid;
++ u8 tmp_uuid[UUID_SIZE], *uuid;
++ char uuid_string[UUID_STRING_LEN + 1];
++ struct ctl_table fake_table = {
++ .data = uuid_string,
++ .maxlen = UUID_STRING_LEN
++ };
++
++ if (write)
++ return -EPERM;
+
+ uuid = table->data;
+ if (!uuid) {
+@@ -1684,12 +1687,8 @@ static int proc_do_uuid(struct ctl_table
+ spin_unlock(&bootid_spinlock);
+ }
+
+- sprintf(buf, "%pU", uuid);
+-
+- fake_table.data = buf;
+- fake_table.maxlen = sizeof(buf);
+-
+- return proc_dostring(&fake_table, write, buffer, lenp, ppos);
++ snprintf(uuid_string, sizeof(uuid_string), "%pU", uuid);
++ return proc_dostring(&fake_table, 0, buffer, lenp, ppos);
+ }
+
+ extern struct ctl_table random_table[];
+@@ -1725,13 +1724,11 @@ struct ctl_table random_table[] = {
+ {
+ .procname = "boot_id",
+ .data = &sysctl_bootid,
+- .maxlen = 16,
+ .mode = 0444,
+ .proc_handler = proc_do_uuid,
+ },
+ {
+ .procname = "uuid",
+- .maxlen = 16,
+ .mode = 0444,
+ .proc_handler = proc_do_uuid,
+ },
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 13 Feb 2022 22:48:04 +0100
+Subject: random: clear fast pool, crng, and batches in cpuhp bring up
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 3191dd5a1179ef0fad5a050a1702ae98b6251e8f upstream.
+
+For the irq randomness fast pool, rather than having to use expensive
+atomics, which were visibly the most expensive thing in the entire irq
+handler, simply take care of the extreme edge case of resetting count to
+zero in the cpuhp online handler, just after workqueues have been
+reenabled. This simplifies the code a bit and lets us use vanilla
+variables rather than atomics, and performance should be improved.
+
+As well, very early on when the CPU comes up, while interrupts are still
+disabled, we clear out the per-cpu crng and its batches, so that it
+always starts with fresh randomness.
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Sultan Alsawaf <sultan@kerneltoast.com>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 62 ++++++++++++++++++++++++++++++++++-----------
+ include/linux/cpuhotplug.h | 2 +
+ include/linux/random.h | 5 +++
+ kernel/cpu.c | 11 +++++++
+ 4 files changed, 65 insertions(+), 15 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -693,6 +693,25 @@ u32 get_random_u32(void)
+ }
+ EXPORT_SYMBOL(get_random_u32);
+
++#ifdef CONFIG_SMP
++/*
++ * This function is called when the CPU is coming up, with entry
++ * CPUHP_RANDOM_PREPARE, which comes before CPUHP_WORKQUEUE_PREP.
++ */
++int random_prepare_cpu(unsigned int cpu)
++{
++ /*
++ * When the cpu comes back online, immediately invalidate both
++ * the per-cpu crng and all batches, so that we serve fresh
++ * randomness.
++ */
++ per_cpu_ptr(&crngs, cpu)->generation = ULONG_MAX;
++ per_cpu_ptr(&batched_entropy_u32, cpu)->position = UINT_MAX;
++ per_cpu_ptr(&batched_entropy_u64, cpu)->position = UINT_MAX;
++ return 0;
++}
++#endif
++
+ /**
+ * randomize_page - Generate a random, page aligned address
+ * @start: The smallest acceptable address the caller will take.
+@@ -1178,7 +1197,7 @@ struct fast_pool {
+ };
+ struct work_struct mix;
+ unsigned long last;
+- atomic_t count;
++ unsigned int count;
+ u16 reg_idx;
+ };
+
+@@ -1214,6 +1233,29 @@ static void fast_mix(u32 pool[4])
+
+ static DEFINE_PER_CPU(struct fast_pool, irq_randomness);
+
++#ifdef CONFIG_SMP
++/*
++ * This function is called when the CPU has just come online, with
++ * entry CPUHP_AP_RANDOM_ONLINE, just after CPUHP_AP_WORKQUEUE_ONLINE.
++ */
++int random_online_cpu(unsigned int cpu)
++{
++ /*
++ * During CPU shutdown and before CPU onlining, add_interrupt_
++ * randomness() may schedule mix_interrupt_randomness(), and
++ * set the MIX_INFLIGHT flag. However, because the worker can
++ * be scheduled on a different CPU during this period, that
++ * flag will never be cleared. For that reason, we zero out
++ * the flag here, which runs just after workqueues are onlined
++ * for the CPU again. This also has the effect of setting the
++ * irq randomness count to zero so that new accumulated irqs
++ * are fresh.
++ */
++ per_cpu_ptr(&irq_randomness, cpu)->count = 0;
++ return 0;
++}
++#endif
++
+ static u32 get_reg(struct fast_pool *f, struct pt_regs *regs)
+ {
+ u32 *ptr = (u32 *)regs;
+@@ -1238,15 +1280,6 @@ static void mix_interrupt_randomness(str
+ local_irq_disable();
+ if (fast_pool != this_cpu_ptr(&irq_randomness)) {
+ local_irq_enable();
+- /*
+- * If we are unlucky enough to have been moved to another CPU,
+- * during CPU hotplug while the CPU was shutdown then we set
+- * our count to zero atomically so that when the CPU comes
+- * back online, it can enqueue work again. The _release here
+- * pairs with the atomic_inc_return_acquire in
+- * add_interrupt_randomness().
+- */
+- atomic_set_release(&fast_pool->count, 0);
+ return;
+ }
+
+@@ -1255,7 +1288,7 @@ static void mix_interrupt_randomness(str
+ * consistent view, before we reenable irqs again.
+ */
+ memcpy(pool, fast_pool->pool32, sizeof(pool));
+- atomic_set(&fast_pool->count, 0);
++ fast_pool->count = 0;
+ fast_pool->last = jiffies;
+ local_irq_enable();
+
+@@ -1291,14 +1324,13 @@ void add_interrupt_randomness(int irq)
+ }
+
+ fast_mix(fast_pool->pool32);
+- /* The _acquire here pairs with the atomic_set_release in mix_interrupt_randomness(). */
+- new_count = (unsigned int)atomic_inc_return_acquire(&fast_pool->count);
++ new_count = ++fast_pool->count;
+
+ if (unlikely(crng_init == 0)) {
+ if (new_count >= 64 &&
+ crng_pre_init_inject(fast_pool->pool32, sizeof(fast_pool->pool32),
+ true, true) > 0) {
+- atomic_set(&fast_pool->count, 0);
++ fast_pool->count = 0;
+ fast_pool->last = now;
+ if (spin_trylock(&input_pool.lock)) {
+ _mix_pool_bytes(&fast_pool->pool32, sizeof(fast_pool->pool32));
+@@ -1316,7 +1348,7 @@ void add_interrupt_randomness(int irq)
+
+ if (unlikely(!fast_pool->mix.func))
+ INIT_WORK(&fast_pool->mix, mix_interrupt_randomness);
+- atomic_or(MIX_INFLIGHT, &fast_pool->count);
++ fast_pool->count |= MIX_INFLIGHT;
+ queue_work_on(raw_smp_processor_id(), system_highpri_wq, &fast_pool->mix);
+ }
+ EXPORT_SYMBOL_GPL(add_interrupt_randomness);
+--- a/include/linux/cpuhotplug.h
++++ b/include/linux/cpuhotplug.h
+@@ -59,6 +59,7 @@ enum cpuhp_state {
+ CPUHP_PCI_XGENE_DEAD,
+ CPUHP_IOMMU_INTEL_DEAD,
+ CPUHP_LUSTRE_CFS_DEAD,
++ CPUHP_RANDOM_PREPARE,
+ CPUHP_WORKQUEUE_PREP,
+ CPUHP_POWER_NUMA_PREPARE,
+ CPUHP_HRTIMERS_PREPARE,
+@@ -162,6 +163,7 @@ enum cpuhp_state {
+ CPUHP_AP_PERF_POWERPC_CORE_IMC_ONLINE,
+ CPUHP_AP_PERF_POWERPC_THREAD_IMC_ONLINE,
+ CPUHP_AP_WORKQUEUE_ONLINE,
++ CPUHP_AP_RANDOM_ONLINE,
+ CPUHP_AP_RCUTREE_ONLINE,
+ CPUHP_AP_BASE_CACHEINFO_ONLINE,
+ CPUHP_AP_ONLINE_DYN,
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -156,4 +156,9 @@ static inline bool __init arch_get_rando
+ }
+ #endif
+
++#ifdef CONFIG_SMP
++extern int random_prepare_cpu(unsigned int cpu);
++extern int random_online_cpu(unsigned int cpu);
++#endif
++
+ #endif /* _LINUX_RANDOM_H */
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -31,6 +31,7 @@
+ #include <linux/slab.h>
+ #include <linux/percpu-rwsem.h>
+ #include <linux/cpuset.h>
++#include <linux/random.h>
+
+ #include <trace/events/power.h>
+ #define CREATE_TRACE_POINTS
+@@ -1404,6 +1405,11 @@ static struct cpuhp_step cpuhp_bp_states
+ .startup.single = perf_event_init_cpu,
+ .teardown.single = perf_event_exit_cpu,
+ },
++ [CPUHP_RANDOM_PREPARE] = {
++ .name = "random:prepare",
++ .startup.single = random_prepare_cpu,
++ .teardown.single = NULL,
++ },
+ [CPUHP_WORKQUEUE_PREP] = {
+ .name = "workqueue:prepare",
+ .startup.single = workqueue_prepare_cpu,
+@@ -1523,6 +1529,11 @@ static struct cpuhp_step cpuhp_ap_states
+ .startup.single = workqueue_online_cpu,
+ .teardown.single = workqueue_offline_cpu,
+ },
++ [CPUHP_AP_RANDOM_ONLINE] = {
++ .name = "random:online",
++ .startup.single = random_online_cpu,
++ .teardown.single = NULL,
++ },
+ [CPUHP_AP_RCUTREE_ONLINE] = {
+ .name = "RCU/tree:online",
+ .startup.single = rcutree_online_cpu,
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+Date: Tue, 25 Jan 2022 21:14:57 +0100
+Subject: random: continually use hwgenerator randomness
+
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+
+commit c321e907aa4803d562d6e70ebed9444ad082f953 upstream.
+
+The rngd kernel thread may sleep indefinitely if the entropy count is
+kept above random_write_wakeup_bits by other entropy sources. To make
+best use of multiple sources of randomness, mix entropy from hardware
+RNGs into the pool at least once within CRNG_RESEED_INTERVAL.
+
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -2192,13 +2192,15 @@ void add_hwgenerator_randomness(const ch
+ return;
+ }
+
+- /* Suspend writing if we're above the trickle threshold.
++ /* Throttle writing if we're above the trickle threshold.
+ * We'll be woken up again once below random_write_wakeup_thresh,
+- * or when the calling thread is about to terminate.
++ * when the calling thread is about to terminate, or once
++ * CRNG_RESEED_INTERVAL has lapsed.
+ */
+- wait_event_interruptible(random_write_wait,
++ wait_event_interruptible_timeout(random_write_wait,
+ !system_wq || kthread_should_stop() ||
+- POOL_ENTROPY_BITS() <= random_write_wakeup_bits);
++ POOL_ENTROPY_BITS() <= random_write_wakeup_bits,
++ CRNG_RESEED_INTERVAL);
+ mix_pool_bytes(buffer, count);
+ credit_entropy_bits(entropy);
+ }
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Fri, 7 Jun 2019 14:25:14 -0400
+Subject: random: convert to ENTROPY_BITS for better code readability
+
+From: Yangtao Li <tiny.windzz@gmail.com>
+
+commit 12faac30d157970fdbfa171bbeb1fb88350303b1 upstream.
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Link: https://lore.kernel.org/r/20190607182517.28266-2-tiny.windzz@gmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -762,7 +762,7 @@ retry:
+ if (entropy_bits < 128)
+ return;
+ crng_reseed(&primary_crng, r);
+- entropy_bits = r->entropy_count >> ENTROPY_SHIFT;
++ entropy_bits = ENTROPY_BITS(r);
+ }
+ }
+ }
+@@ -1394,8 +1394,7 @@ retry:
+ goto retry;
+
+ trace_debit_entropy(r->name, 8 * ibytes);
+- if (ibytes &&
+- (r->entropy_count >> ENTROPY_SHIFT) < random_write_wakeup_bits) {
++ if (ibytes && ENTROPY_BITS(r) < random_write_wakeup_bits) {
+ wake_up_interruptible(&random_write_wait);
+ kill_fasync(&fasync, SIGIO, POLL_OUT);
+ }
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 19 May 2022 17:43:15 -0600
+Subject: random: convert to using fops->write_iter()
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 22b0a222af4df8ee9bb8e07013ab44da9511b047 upstream.
+
+Now that the read side has been converted to fix a regression with
+splice, convert the write side as well to have some symmetry in the
+interface used (and help deprecate ->write()).
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+[Jason: cleaned up random_ioctl a bit, require full writes in
+ RNDADDENTROPY since it's crediting entropy, simplify control flow of
+ write_pool(), and incorporate suggestions from Al.]
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 67 ++++++++++++++++++++++++++------------------------
+ 1 file changed, 35 insertions(+), 32 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1251,39 +1251,31 @@ static unsigned int random_poll(struct f
+ return crng_ready() ? POLLIN | POLLRDNORM : POLLOUT | POLLWRNORM;
+ }
+
+-static int write_pool(const char __user *ubuf, size_t len)
++static ssize_t write_pool(struct iov_iter *iter)
+ {
+- size_t block_len;
+- int ret = 0;
+ u8 block[BLAKE2S_BLOCK_SIZE];
++ ssize_t ret = 0;
++ size_t copied;
+
+- while (len) {
+- block_len = min(len, sizeof(block));
+- if (copy_from_user(block, ubuf, block_len)) {
+- ret = -EFAULT;
+- goto out;
+- }
+- len -= block_len;
+- ubuf += block_len;
+- mix_pool_bytes(block, block_len);
++ if (unlikely(!iov_iter_count(iter)))
++ return 0;
++
++ for (;;) {
++ copied = copy_from_iter(block, sizeof(block), iter);
++ ret += copied;
++ mix_pool_bytes(block, copied);
++ if (!iov_iter_count(iter) || copied != sizeof(block))
++ break;
+ cond_resched();
+ }
+
+-out:
+ memzero_explicit(block, sizeof(block));
+- return ret;
++ return ret ? ret : -EFAULT;
+ }
+
+-static ssize_t random_write(struct file *file, const char __user *ubuf,
+- size_t len, loff_t *ppos)
++static ssize_t random_write_iter(struct kiocb *kiocb, struct iov_iter *iter)
+ {
+- int ret;
+-
+- ret = write_pool(ubuf, len);
+- if (ret)
+- return ret;
+-
+- return (ssize_t)len;
++ return write_pool(iter);
+ }
+
+ static ssize_t urandom_read_iter(struct kiocb *kiocb, struct iov_iter *iter)
+@@ -1315,9 +1307,8 @@ static ssize_t random_read_iter(struct k
+
+ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
+ {
+- int size, ent_count;
+ int __user *p = (int __user *)arg;
+- int retval;
++ int ent_count;
+
+ switch (cmd) {
+ case RNDGETENTCNT:
+@@ -1334,20 +1325,32 @@ static long random_ioctl(struct file *f,
+ return -EINVAL;
+ credit_init_bits(ent_count);
+ return 0;
+- case RNDADDENTROPY:
++ case RNDADDENTROPY: {
++ struct iov_iter iter;
++ struct iovec iov;
++ ssize_t ret;
++ int len;
++
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+ if (get_user(ent_count, p++))
+ return -EFAULT;
+ if (ent_count < 0)
+ return -EINVAL;
+- if (get_user(size, p++))
++ if (get_user(len, p++))
++ return -EFAULT;
++ ret = import_single_range(WRITE, p, len, &iov, &iter);
++ if (unlikely(ret))
++ return ret;
++ ret = write_pool(&iter);
++ if (unlikely(ret < 0))
++ return ret;
++ /* Since we're crediting, enforce that it was all written into the pool. */
++ if (unlikely(ret != len))
+ return -EFAULT;
+- retval = write_pool((const char __user *)p, size);
+- if (retval < 0)
+- return retval;
+ credit_init_bits(ent_count);
+ return 0;
++ }
+ case RNDZAPENTCNT:
+ case RNDCLEARPOOL:
+ /* No longer has any effect. */
+@@ -1373,7 +1376,7 @@ static int random_fasync(int fd, struct
+
+ const struct file_operations random_fops = {
+ .read_iter = random_read_iter,
+- .write = random_write,
++ .write_iter = random_write_iter,
+ .poll = random_poll,
+ .unlocked_ioctl = random_ioctl,
+ .fasync = random_fasync,
+@@ -1382,7 +1385,7 @@ const struct file_operations random_fops
+
+ const struct file_operations urandom_fops = {
+ .read_iter = urandom_read_iter,
+- .write = random_write,
++ .write_iter = random_write_iter,
+ .unlocked_ioctl = random_ioctl,
+ .fasync = random_fasync,
+ .llseek = noop_llseek,
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 12 May 2022 15:32:26 +0200
+Subject: random: credit architectural init the exact amount
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 12e45a2a6308105469968951e6d563e8f4fea187 upstream.
+
+RDRAND and RDSEED can fail sometimes, which is fine. We currently
+initialize the RNG with 512 bits of RDRAND/RDSEED. We only need 256 bits
+of those to succeed in order to initialize the RNG. Instead of the
+current "all or nothing" approach, actually credit these contributions
+the amount that is actually contributed.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -891,9 +891,8 @@ early_param("random.trust_bootloader", p
+ */
+ int __init random_init(const char *command_line)
+ {
+- size_t i;
+ ktime_t now = ktime_get_real();
+- bool arch_init = true;
++ unsigned int i, arch_bytes;
+ unsigned long rv;
+
+ #if defined(LATENT_ENTROPY_PLUGIN)
+@@ -901,11 +900,12 @@ int __init random_init(const char *comma
+ _mix_pool_bytes(compiletime_seed, sizeof(compiletime_seed));
+ #endif
+
+- for (i = 0; i < BLAKE2S_BLOCK_SIZE; i += sizeof(rv)) {
++ for (i = 0, arch_bytes = BLAKE2S_BLOCK_SIZE;
++ i < BLAKE2S_BLOCK_SIZE; i += sizeof(rv)) {
+ if (!arch_get_random_seed_long_early(&rv) &&
+ !arch_get_random_long_early(&rv)) {
+ rv = random_get_entropy();
+- arch_init = false;
++ arch_bytes -= sizeof(rv);
+ }
+ _mix_pool_bytes(&rv, sizeof(rv));
+ }
+@@ -916,8 +916,8 @@ int __init random_init(const char *comma
+
+ if (crng_ready())
+ crng_reseed();
+- else if (arch_init && trust_cpu)
+- credit_init_bits(BLAKE2S_BLOCK_SIZE * 8);
++ else if (trust_cpu)
++ credit_init_bits(arch_bytes * 8);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 13 Jan 2022 16:11:21 +0100
+Subject: random: de-duplicate INPUT_POOL constants
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 5b87adf30f1464477169a1d653e9baf8c012bbfe upstream.
+
+We already had the POOL_* constants, so deduplicate the older INPUT_POOL
+ones. As well, fold EXTRACT_SIZE into the poolinfo enum, since it's
+related.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 17 ++++++-----------
+ 1 file changed, 6 insertions(+), 11 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -359,13 +359,6 @@
+ /* #define ADD_INTERRUPT_BENCH */
+
+ /*
+- * Configuration information
+- */
+-#define INPUT_POOL_SHIFT 12
+-#define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5))
+-#define EXTRACT_SIZE (BLAKE2S_HASH_SIZE / 2)
+-
+-/*
+ * To allow fractional bits to be tracked, the entropy_count field is
+ * denominated in units of 1/8th bits.
+ *
+@@ -440,7 +433,9 @@ enum poolinfo {
+ POOL_TAP2 = 76,
+ POOL_TAP3 = 51,
+ POOL_TAP4 = 25,
+- POOL_TAP5 = 1
++ POOL_TAP5 = 1,
++
++ EXTRACT_SIZE = BLAKE2S_HASH_SIZE / 2
+ };
+
+ /*
+@@ -503,7 +498,7 @@ MODULE_PARM_DESC(ratelimit_disable, "Dis
+ *
+ **********************************************************************/
+
+-static u32 input_pool_data[INPUT_POOL_WORDS] __latent_entropy;
++static u32 input_pool_data[POOL_WORDS] __latent_entropy;
+
+ static struct {
+ /* read-only data: */
+@@ -1958,7 +1953,7 @@ SYSCALL_DEFINE3(getrandom, char __user *
+ #include <linux/sysctl.h>
+
+ static int min_write_thresh;
+-static int max_write_thresh = INPUT_POOL_WORDS * 32;
++static int max_write_thresh = POOL_BITS;
+ static int random_min_urandom_seed = 60;
+ static char sysctl_bootid[16];
+
+@@ -2015,7 +2010,7 @@ static int proc_do_entropy(struct ctl_ta
+ return proc_dointvec(&fake_table, write, buffer, lenp, ppos);
+ }
+
+-static int sysctl_poolsize = INPUT_POOL_WORDS * 32;
++static int sysctl_poolsize = POOL_BITS;
+ extern struct ctl_table random_table[];
+ struct ctl_table random_table[] = {
+ {
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 4 Feb 2022 16:15:46 +0100
+Subject: random: defer fast pool mixing to worker
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 58340f8e952b613e0ead0bed58b97b05bf4743c5 upstream.
+
+On PREEMPT_RT, it's problematic to take spinlocks from hard irq
+handlers. We can fix this by deferring to a workqueue the dumping of
+the fast pool into the input pool.
+
+We accomplish this with some careful rules on fast_pool->count:
+
+ - When it's incremented to >= 64, we schedule the work.
+ - If the top bit is set, we never schedule the work, even if >= 64.
+ - The worker is responsible for setting it back to 0 when it's done.
+
+There are two small issues around using workqueues for this purpose that
+we work around.
+
+The first issue is that mix_interrupt_randomness() might be migrated to
+another CPU during CPU hotplug. This issue is rectified by checking that
+it hasn't been migrated (after disabling irqs). If it has been migrated,
+then we set the count to zero, so that when the CPU comes online again,
+it can requeue the work. As part of this, we switch to using an
+atomic_t, so that the increment in the irq handler doesn't wipe out the
+zeroing if the CPU comes back online while this worker is running.
+
+The second issue is that, though relatively minor in effect, we probably
+want to make sure we get a consistent view of the pool onto the stack,
+in case it's interrupted by an irq while reading. To do this, we don't
+reenable irqs until after the copy. There are only 18 instructions
+between the cli and sti, so this is a pretty tiny window.
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Sultan Alsawaf <sultan@kerneltoast.com>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 63 ++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 49 insertions(+), 14 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1173,9 +1173,10 @@ struct fast_pool {
+ u32 pool32[4];
+ u64 pool64[2];
+ };
++ struct work_struct mix;
+ unsigned long last;
++ atomic_t count;
+ u16 reg_idx;
+- u8 count;
+ };
+
+ /*
+@@ -1225,12 +1226,49 @@ static u32 get_reg(struct fast_pool *f,
+ return *ptr;
+ }
+
++static void mix_interrupt_randomness(struct work_struct *work)
++{
++ struct fast_pool *fast_pool = container_of(work, struct fast_pool, mix);
++ u32 pool[4];
++
++ /* Check to see if we're running on the wrong CPU due to hotplug. */
++ local_irq_disable();
++ if (fast_pool != this_cpu_ptr(&irq_randomness)) {
++ local_irq_enable();
++ /*
++ * If we are unlucky enough to have been moved to another CPU,
++ * during CPU hotplug while the CPU was shutdown then we set
++ * our count to zero atomically so that when the CPU comes
++ * back online, it can enqueue work again. The _release here
++ * pairs with the atomic_inc_return_acquire in
++ * add_interrupt_randomness().
++ */
++ atomic_set_release(&fast_pool->count, 0);
++ return;
++ }
++
++ /*
++ * Copy the pool to the stack so that the mixer always has a
++ * consistent view, before we reenable irqs again.
++ */
++ memcpy(pool, fast_pool->pool32, sizeof(pool));
++ atomic_set(&fast_pool->count, 0);
++ fast_pool->last = jiffies;
++ local_irq_enable();
++
++ mix_pool_bytes(pool, sizeof(pool));
++ credit_entropy_bits(1);
++ memzero_explicit(pool, sizeof(pool));
++}
++
+ void add_interrupt_randomness(int irq)
+ {
++ enum { MIX_INFLIGHT = 1U << 31 };
+ struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness);
+ struct pt_regs *regs = get_irq_regs();
+ unsigned long now = jiffies;
+ cycles_t cycles = random_get_entropy();
++ unsigned int new_count;
+
+ if (cycles == 0)
+ cycles = get_reg(fast_pool, regs);
+@@ -1250,12 +1288,13 @@ void add_interrupt_randomness(int irq)
+ }
+
+ fast_mix(fast_pool->pool32);
+- ++fast_pool->count;
++ /* The _acquire here pairs with the atomic_set_release in mix_interrupt_randomness(). */
++ new_count = (unsigned int)atomic_inc_return_acquire(&fast_pool->count);
+
+ if (unlikely(crng_init == 0)) {
+- if (fast_pool->count >= 64 &&
++ if (new_count >= 64 &&
+ crng_fast_load(fast_pool->pool32, sizeof(fast_pool->pool32)) > 0) {
+- fast_pool->count = 0;
++ atomic_set(&fast_pool->count, 0);
+ fast_pool->last = now;
+ if (spin_trylock(&input_pool.lock)) {
+ _mix_pool_bytes(&fast_pool->pool32, sizeof(fast_pool->pool32));
+@@ -1265,20 +1304,16 @@ void add_interrupt_randomness(int irq)
+ return;
+ }
+
+- if ((fast_pool->count < 64) && !time_after(now, fast_pool->last + HZ))
++ if (new_count & MIX_INFLIGHT)
+ return;
+
+- if (!spin_trylock(&input_pool.lock))
++ if (new_count < 64 && !time_after(now, fast_pool->last + HZ))
+ return;
+
+- fast_pool->last = now;
+- _mix_pool_bytes(&fast_pool->pool32, sizeof(fast_pool->pool32));
+- spin_unlock(&input_pool.lock);
+-
+- fast_pool->count = 0;
+-
+- /* Award one bit for the contents of the fast pool. */
+- credit_entropy_bits(1);
++ if (unlikely(!fast_pool->mix.func))
++ INIT_WORK(&fast_pool->mix, mix_interrupt_randomness);
++ atomic_or(MIX_INFLIGHT, &fast_pool->count);
++ queue_work_on(raw_smp_processor_id(), system_highpri_wq, &fast_pool->mix);
+ }
+ EXPORT_SYMBOL_GPL(add_interrupt_randomness);
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Andy Lutomirski <luto@kernel.org>
+Date: Mon, 23 Dec 2019 00:20:50 -0800
+Subject: random: delete code to pull data into pools
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 84df7cdfbb215a34657b39f4257dab739efa2df9 upstream.
+
+There is no pool that pulls, so it was just dead code.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Link: https://lore.kernel.org/r/4a05fe0c7a5c831389ef4aea51d24528ac8682c7.1577088521.git.luto@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 40 ----------------------------------------
+ 1 file changed, 40 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -530,10 +530,8 @@ struct entropy_store {
+ const struct poolinfo *poolinfo;
+ __u32 *pool;
+ const char *name;
+- struct entropy_store *pull;
+
+ /* read-write data: */
+- unsigned long last_pulled;
+ spinlock_t lock;
+ unsigned short add_ptr;
+ unsigned short input_rotate;
+@@ -1364,41 +1362,6 @@ EXPORT_SYMBOL_GPL(add_disk_randomness);
+ *********************************************************************/
+
+ /*
+- * This utility inline function is responsible for transferring entropy
+- * from the primary pool to the secondary extraction pool. We make
+- * sure we pull enough for a 'catastrophic reseed'.
+- */
+-static void _xfer_secondary_pool(struct entropy_store *r, size_t nbytes);
+-static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes)
+-{
+- if (!r->pull ||
+- r->entropy_count >= (nbytes << (ENTROPY_SHIFT + 3)) ||
+- r->entropy_count > r->poolinfo->poolfracbits)
+- return;
+-
+- _xfer_secondary_pool(r, nbytes);
+-}
+-
+-static void _xfer_secondary_pool(struct entropy_store *r, size_t nbytes)
+-{
+- __u32 tmp[OUTPUT_POOL_WORDS];
+-
+- int bytes = nbytes;
+-
+- /* pull at least as much as a wakeup */
+- bytes = max_t(int, bytes, random_read_wakeup_bits / 8);
+- /* but never more than the buffer size */
+- bytes = min_t(int, bytes, sizeof(tmp));
+-
+- trace_xfer_secondary_pool(r->name, bytes * 8, nbytes * 8,
+- ENTROPY_BITS(r), ENTROPY_BITS(r->pull));
+- bytes = extract_entropy(r->pull, tmp, bytes,
+- random_read_wakeup_bits / 8, 0);
+- mix_pool_bytes(r, tmp, bytes);
+- credit_entropy_bits(r, bytes*8);
+-}
+-
+-/*
+ * This function decides how many bytes to actually take from the
+ * given pool, and also debits the entropy count accordingly.
+ */
+@@ -1561,7 +1524,6 @@ static ssize_t extract_entropy(struct en
+ spin_unlock_irqrestore(&r->lock, flags);
+ trace_extract_entropy(r->name, EXTRACT_SIZE,
+ ENTROPY_BITS(r), _RET_IP_);
+- xfer_secondary_pool(r, EXTRACT_SIZE);
+ extract_buf(r, tmp);
+ spin_lock_irqsave(&r->lock, flags);
+ memcpy(r->last_data, tmp, EXTRACT_SIZE);
+@@ -1570,7 +1532,6 @@ static ssize_t extract_entropy(struct en
+ }
+
+ trace_extract_entropy(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_);
+- xfer_secondary_pool(r, nbytes);
+ nbytes = account(r, nbytes, min, reserved);
+
+ return _extract_entropy(r, buf, nbytes, fips_enabled);
+@@ -1782,7 +1743,6 @@ static void __init init_std_data(struct
+ ktime_t now = ktime_get_real();
+ unsigned long rv;
+
+- r->last_pulled = jiffies;
+ mix_pool_bytes(r, &now, sizeof(now));
+ for (i = r->poolinfo->poolbytes; i > 0; i -= sizeof(rv)) {
+ if (!arch_get_random_seed_long(&rv) &&
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 10 Feb 2022 17:01:27 +0100
+Subject: random: deobfuscate irq u32/u64 contributions
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit b2f408fe403800c91a49f6589d95b6759ce1b30b upstream.
+
+In the irq handler, we fill out 16 bytes differently on 32-bit and
+64-bit platforms, and for 32-bit vs 64-bit cycle counters, which doesn't
+always correspond with the bitness of the platform. Whether or not you
+like this strangeness, it is a matter of fact. But it might not be a
+fact you well realized until now, because the code that loaded the irq
+info into 4 32-bit words was quite confusing. Instead, this commit
+makes everything explicit by having separate (compile-time) branches for
+32-bit and 64-bit types.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 49 ++++++++++++++++++++++++++++---------------------
+ 1 file changed, 28 insertions(+), 21 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -283,7 +283,10 @@ static void mix_pool_bytes(const void *i
+ }
+
+ struct fast_pool {
+- u32 pool[4];
++ union {
++ u32 pool32[4];
++ u64 pool64[2];
++ };
+ unsigned long last;
+ u16 reg_idx;
+ u8 count;
+@@ -294,10 +297,10 @@ struct fast_pool {
+ * collector. It's hardcoded for an 128 bit pool and assumes that any
+ * locks that might be needed are taken by the caller.
+ */
+-static void fast_mix(struct fast_pool *f)
++static void fast_mix(u32 pool[4])
+ {
+- u32 a = f->pool[0], b = f->pool[1];
+- u32 c = f->pool[2], d = f->pool[3];
++ u32 a = pool[0], b = pool[1];
++ u32 c = pool[2], d = pool[3];
+
+ a += b; c += d;
+ b = rol32(b, 6); d = rol32(d, 27);
+@@ -315,9 +318,8 @@ static void fast_mix(struct fast_pool *f
+ b = rol32(b, 16); d = rol32(d, 14);
+ d ^= a; b ^= c;
+
+- f->pool[0] = a; f->pool[1] = b;
+- f->pool[2] = c; f->pool[3] = d;
+- f->count++;
++ pool[0] = a; pool[1] = b;
++ pool[2] = c; pool[3] = d;
+ }
+
+ static void process_random_ready_list(void)
+@@ -782,29 +784,34 @@ void add_interrupt_randomness(int irq)
+ struct pt_regs *regs = get_irq_regs();
+ unsigned long now = jiffies;
+ cycles_t cycles = random_get_entropy();
+- u32 c_high, j_high;
+- u64 ip;
+
+ if (cycles == 0)
+ cycles = get_reg(fast_pool, regs);
+- c_high = (sizeof(cycles) > 4) ? cycles >> 32 : 0;
+- j_high = (sizeof(now) > 4) ? now >> 32 : 0;
+- fast_pool->pool[0] ^= cycles ^ j_high ^ irq;
+- fast_pool->pool[1] ^= now ^ c_high;
+- ip = regs ? instruction_pointer(regs) : _RET_IP_;
+- fast_pool->pool[2] ^= ip;
+- fast_pool->pool[3] ^=
+- (sizeof(ip) > 4) ? ip >> 32 : get_reg(fast_pool, regs);
+
+- fast_mix(fast_pool);
++ if (sizeof(cycles) == 8)
++ fast_pool->pool64[0] ^= cycles ^ rol64(now, 32) ^ irq;
++ else {
++ fast_pool->pool32[0] ^= cycles ^ irq;
++ fast_pool->pool32[1] ^= now;
++ }
++
++ if (sizeof(unsigned long) == 8)
++ fast_pool->pool64[1] ^= regs ? instruction_pointer(regs) : _RET_IP_;
++ else {
++ fast_pool->pool32[2] ^= regs ? instruction_pointer(regs) : _RET_IP_;
++ fast_pool->pool32[3] ^= get_reg(fast_pool, regs);
++ }
++
++ fast_mix(fast_pool->pool32);
++ ++fast_pool->count;
+
+ if (unlikely(crng_init == 0)) {
+ if (fast_pool->count >= 64 &&
+- crng_fast_load(fast_pool->pool, sizeof(fast_pool->pool)) > 0) {
++ crng_fast_load(fast_pool->pool32, sizeof(fast_pool->pool32)) > 0) {
+ fast_pool->count = 0;
+ fast_pool->last = now;
+ if (spin_trylock(&input_pool.lock)) {
+- _mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool));
++ _mix_pool_bytes(&fast_pool->pool32, sizeof(fast_pool->pool32));
+ spin_unlock(&input_pool.lock);
+ }
+ }
+@@ -818,7 +825,7 @@ void add_interrupt_randomness(int irq)
+ return;
+
+ fast_pool->last = now;
+- _mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool));
++ _mix_pool_bytes(&fast_pool->pool32, sizeof(fast_pool->pool32));
+ spin_unlock(&input_pool.lock);
+
+ fast_pool->count = 0;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 13 Feb 2022 18:25:07 +0100
+Subject: random: do crng pre-init loading in worker rather than irq
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit c2a7de4feb6e09f23af7accc0f882a8fa92e7ae5 upstream.
+
+Taking spinlocks from IRQ context is generally problematic for
+PREEMPT_RT. That is, in part, why we take trylocks instead. However, a
+spin_try_lock() is also problematic since another spin_lock() invocation
+can potentially PI-boost the wrong task, as the spin_try_lock() is
+invoked from an IRQ-context, so the task on CPU (random task or idle) is
+not the actual owner.
+
+Additionally, by deferring the crng pre-init loading to the worker, we
+can use the cryptographic hash function rather than xor, which is
+perhaps a meaningful difference when considering this data has only been
+through the relatively weak fast_mix() function.
+
+The biggest downside of this approach is that the pre-init loading is
+now deferred until later, which means things that need random numbers
+after interrupts are enabled, but before workqueues are running -- or
+before this particular worker manages to run -- are going to get into
+trouble. Hopefully in the real world, this window is rather small,
+especially since this code won't run until 64 interrupts had occurred.
+
+Cc: Sultan Alsawaf <sultan@kerneltoast.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Eric Biggers <ebiggers@kernel.org>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 65 ++++++++++++++------------------------------------
+ 1 file changed, 19 insertions(+), 46 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -441,10 +441,6 @@ static void crng_make_state(u32 chacha_s
+ * boot time when it's better to have something there rather than
+ * nothing.
+ *
+- * There are two paths, a slow one and a fast one. The slow one
+- * hashes the input along with the current key. The fast one simply
+- * xors it in, and should only be used from interrupt context.
+- *
+ * If account is set, then the crng_init_cnt counter is incremented.
+ * This shouldn't be set by functions like add_device_randomness(),
+ * where we can't trust the buffer passed to it is guaranteed to be
+@@ -453,19 +449,15 @@ static void crng_make_state(u32 chacha_s
+ * Returns the number of bytes processed from input, which is bounded
+ * by CRNG_INIT_CNT_THRESH if account is true.
+ */
+-static size_t crng_pre_init_inject(const void *input, size_t len,
+- bool fast, bool account)
++static size_t crng_pre_init_inject(const void *input, size_t len, bool account)
+ {
+ static int crng_init_cnt = 0;
++ struct blake2s_state hash;
+ unsigned long flags;
+
+- if (fast) {
+- if (!spin_trylock_irqsave(&base_crng.lock, flags))
+- return 0;
+- } else {
+- spin_lock_irqsave(&base_crng.lock, flags);
+- }
++ blake2s_init(&hash, sizeof(base_crng.key));
+
++ spin_lock_irqsave(&base_crng.lock, flags);
+ if (crng_init != 0) {
+ spin_unlock_irqrestore(&base_crng.lock, flags);
+ return 0;
+@@ -474,21 +466,9 @@ static size_t crng_pre_init_inject(const
+ if (account)
+ len = min_t(size_t, len, CRNG_INIT_CNT_THRESH - crng_init_cnt);
+
+- if (fast) {
+- const u8 *src = input;
+- size_t i;
+-
+- for (i = 0; i < len; ++i)
+- base_crng.key[(crng_init_cnt + i) %
+- sizeof(base_crng.key)] ^= src[i];
+- } else {
+- struct blake2s_state hash;
+-
+- blake2s_init(&hash, sizeof(base_crng.key));
+- blake2s_update(&hash, base_crng.key, sizeof(base_crng.key));
+- blake2s_update(&hash, input, len);
+- blake2s_final(&hash, base_crng.key);
+- }
++ blake2s_update(&hash, base_crng.key, sizeof(base_crng.key));
++ blake2s_update(&hash, input, len);
++ blake2s_final(&hash, base_crng.key);
+
+ if (account) {
+ crng_init_cnt += len;
+@@ -1029,7 +1009,7 @@ void add_device_randomness(const void *b
+ unsigned long flags, now = jiffies;
+
+ if (crng_init == 0 && size)
+- crng_pre_init_inject(buf, size, false, false);
++ crng_pre_init_inject(buf, size, false);
+
+ spin_lock_irqsave(&input_pool.lock, flags);
+ _mix_pool_bytes(&cycles, sizeof(cycles));
+@@ -1150,7 +1130,7 @@ void add_hwgenerator_randomness(const vo
+ size_t entropy)
+ {
+ if (unlikely(crng_init == 0)) {
+- size_t ret = crng_pre_init_inject(buffer, count, false, true);
++ size_t ret = crng_pre_init_inject(buffer, count, true);
+ mix_pool_bytes(buffer, ret);
+ count -= ret;
+ buffer += ret;
+@@ -1290,8 +1270,14 @@ static void mix_interrupt_randomness(str
+ fast_pool->last = jiffies;
+ local_irq_enable();
+
+- mix_pool_bytes(pool, sizeof(pool));
+- credit_entropy_bits(1);
++ if (unlikely(crng_init == 0)) {
++ crng_pre_init_inject(pool, sizeof(pool), true);
++ mix_pool_bytes(pool, sizeof(pool));
++ } else {
++ mix_pool_bytes(pool, sizeof(pool));
++ credit_entropy_bits(1);
++ }
++
+ memzero_explicit(pool, sizeof(pool));
+ }
+
+@@ -1324,24 +1310,11 @@ void add_interrupt_randomness(int irq)
+ fast_mix(fast_pool->pool32);
+ new_count = ++fast_pool->count;
+
+- if (unlikely(crng_init == 0)) {
+- if (new_count >= 64 &&
+- crng_pre_init_inject(fast_pool->pool32, sizeof(fast_pool->pool32),
+- true, true) > 0) {
+- fast_pool->count = 0;
+- fast_pool->last = now;
+- if (spin_trylock(&input_pool.lock)) {
+- _mix_pool_bytes(&fast_pool->pool32, sizeof(fast_pool->pool32));
+- spin_unlock(&input_pool.lock);
+- }
+- }
+- return;
+- }
+-
+ if (new_count & MIX_INFLIGHT)
+ return;
+
+- if (new_count < 64 && !time_after(now, fast_pool->last + HZ))
++ if (new_count < 64 && (!time_after(now, fast_pool->last + HZ) ||
++ unlikely(crng_init == 0)))
+ return;
+
+ if (unlikely(!fast_pool->mix.func))
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 5 Apr 2022 16:40:51 +0200
+Subject: random: do not allow user to keep crng key around on stack
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit aba120cc101788544aa3e2c30c8da88513892350 upstream.
+
+The fast key erasure RNG design relies on the key that's used to be used
+and then discarded. We do this, making judicious use of
+memzero_explicit(). However, reads to /dev/urandom and calls to
+getrandom() involve a copy_to_user(), and userspace can use FUSE or
+userfaultfd, or make a massive call, dynamically remap memory addresses
+as it goes, and set the process priority to idle, in order to keep a
+kernel stack alive indefinitely. By probing
+/proc/sys/kernel/random/entropy_avail to learn when the crng key is
+refreshed, a malicious userspace could mount this attack every 5 minutes
+thereafter, breaking the crng's forward secrecy.
+
+In order to fix this, we just overwrite the stack's key with the first
+32 bytes of the "free" fast key erasure output. If we're returning <= 32
+bytes to the user, then we can still return those bytes directly, so
+that short reads don't become slower. And for long reads, the difference
+is hopefully lost in the amortization, so it doesn't change much, with
+that amortization helping variously for medium reads.
+
+We don't need to do this for get_random_bytes() and the various
+kernel-space callers, and later, if we ever switch to always batching,
+this won't be necessary either, so there's no need to change the API of
+these functions.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jann Horn <jannh@google.com>
+Fixes: c92e040d575a ("random: add backtracking protection to the CRNG")
+Fixes: 186873c549df ("random: use simpler fast key erasure flow on per-cpu keys")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 35 +++++++++++++++++++++++------------
+ 1 file changed, 23 insertions(+), 12 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -532,19 +532,29 @@ static ssize_t get_random_bytes_user(voi
+ if (!nbytes)
+ return 0;
+
+- len = min_t(size_t, 32, nbytes);
+- crng_make_state(chacha_state, output, len);
+-
+- if (copy_to_user(buf, output, len))
+- return -EFAULT;
+- nbytes -= len;
+- buf += len;
+- ret += len;
++ /*
++ * Immediately overwrite the ChaCha key at index 4 with random
++ * bytes, in case userspace causes copy_to_user() below to sleep
++ * forever, so that we still retain forward secrecy in that case.
++ */
++ crng_make_state(chacha_state, (u8 *)&chacha_state[4], CHACHA_KEY_SIZE);
++ /*
++ * However, if we're doing a read of len <= 32, we don't need to
++ * use chacha_state after, so we can simply return those bytes to
++ * the user directly.
++ */
++ if (nbytes <= CHACHA_KEY_SIZE) {
++ ret = copy_to_user(buf, &chacha_state[4], nbytes) ? -EFAULT : nbytes;
++ goto out_zero_chacha;
++ }
+
+- while (nbytes) {
++ do {
+ if (large_request && need_resched()) {
+- if (signal_pending(current))
++ if (signal_pending(current)) {
++ if (!ret)
++ ret = -ERESTARTSYS;
+ break;
++ }
+ schedule();
+ }
+
+@@ -561,10 +571,11 @@ static ssize_t get_random_bytes_user(voi
+ nbytes -= len;
+ buf += len;
+ ret += len;
+- }
++ } while (nbytes);
+
+- memzero_explicit(chacha_state, sizeof(chacha_state));
+ memzero_explicit(output, sizeof(output));
++out_zero_chacha:
++ memzero_explicit(chacha_state, sizeof(chacha_state));
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 30 Apr 2022 22:03:29 +0200
+Subject: random: do not pretend to handle premature next security model
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit e85c0fc1d94c52483a603651748d4c76d6aa1c6b upstream.
+
+Per the thread linked below, "premature next" is not considered to be a
+realistic threat model, and leads to more serious security problems.
+
+"Premature next" is the scenario in which:
+
+- Attacker compromises the current state of a fully initialized RNG via
+ some kind of infoleak.
+- New bits of entropy are added directly to the key used to generate the
+ /dev/urandom stream, without any buffering or pooling.
+- Attacker then, somehow having read access to /dev/urandom, samples RNG
+ output and brute forces the individual new bits that were added.
+- Result: the RNG never "recovers" from the initial compromise, a
+ so-called violation of what academics term "post-compromise security".
+
+The usual solutions to this involve some form of delaying when entropy
+gets mixed into the crng. With Fortuna, this involves multiple input
+buckets. With what the Linux RNG was trying to do prior, this involves
+entropy estimation.
+
+However, by delaying when entropy gets mixed in, it also means that RNG
+compromises are extremely dangerous during the window of time before
+the RNG has gathered enough entropy, during which time nonces may become
+predictable (or repeated), ephemeral keys may not be secret, and so
+forth. Moreover, it's unclear how realistic "premature next" is from an
+attack perspective, if these attacks even make sense in practice.
+
+Put together -- and discussed in more detail in the thread below --
+these constitute grounds for just doing away with the current code that
+pretends to handle premature next. I say "pretends" because it wasn't
+doing an especially great job at it either; should we change our mind
+about this direction, we would probably implement Fortuna to "fix" the
+"problem", in which case, removing the pretend solution still makes
+sense.
+
+This also reduces the crng reseed period from 5 minutes down to 1
+minute. The rationale from the thread might lead us toward reducing that
+even further in the future (or even eliminating it), but that remains a
+topic of a future commit.
+
+At a high level, this patch changes semantics from:
+
+ Before: Seed for the first time after 256 "bits" of estimated
+ entropy have been accumulated since the system booted. Thereafter,
+ reseed once every five minutes, but only if 256 new "bits" have been
+ accumulated since the last reseeding.
+
+ After: Seed for the first time after 256 "bits" of estimated entropy
+ have been accumulated since the system booted. Thereafter, reseed
+ once every minute.
+
+Most of this patch is renaming and removing: POOL_MIN_BITS becomes
+POOL_INIT_BITS, credit_entropy_bits() becomes credit_init_bits(),
+crng_reseed() loses its "force" parameter since it's now always true,
+the drain_entropy() function no longer has any use so it's removed,
+entropy estimation is skipped if we've already init'd, the various
+notifiers for "low on entropy" are now only active prior to init, and
+finally, some documentation comments are cleaned up here and there.
+
+Link: https://lore.kernel.org/lkml/YmlMGx6+uigkGiZ0@zx2c4.com/
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Nadia Heninger <nadiah@cs.ucsd.edu>
+Cc: Tom Ristenpart <ristenpart@cornell.edu>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 174 +++++++++++++++++---------------------------------
+ 1 file changed, 62 insertions(+), 112 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -15,14 +15,12 @@
+ * - Sysctl interface.
+ *
+ * The high level overview is that there is one input pool, into which
+- * various pieces of data are hashed. Some of that data is then "credited" as
+- * having a certain number of bits of entropy. When enough bits of entropy are
+- * available, the hash is finalized and handed as a key to a stream cipher that
+- * expands it indefinitely for various consumers. This key is periodically
+- * refreshed as the various entropy collectors, described below, add data to the
+- * input pool and credit it. There is currently no Fortuna-like scheduler
+- * involved, which can lead to malicious entropy sources causing a premature
+- * reseed, and the entropy estimates are, at best, conservative guesses.
++ * various pieces of data are hashed. Prior to initialization, some of that
++ * data is then "credited" as having a certain number of bits of entropy.
++ * When enough bits of entropy are available, the hash is finalized and
++ * handed as a key to a stream cipher that expands it indefinitely for
++ * various consumers. This key is periodically refreshed as the various
++ * entropy collectors, described below, add data to the input pool.
+ */
+
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+@@ -233,7 +231,10 @@ static void _warn_unseeded_randomness(co
+ *
+ *********************************************************************/
+
+-enum { CRNG_RESEED_INTERVAL = 300 * HZ };
++enum {
++ CRNG_RESEED_START_INTERVAL = HZ,
++ CRNG_RESEED_INTERVAL = 60 * HZ
++};
+
+ static struct {
+ u8 key[CHACHA20_KEY_SIZE] __aligned(__alignof__(long));
+@@ -253,16 +254,10 @@ static DEFINE_PER_CPU(struct crng, crngs
+ .generation = ULONG_MAX
+ };
+
+-/* Used by crng_reseed() to extract a new seed from the input pool. */
+-static bool drain_entropy(void *buf, size_t nbytes);
+-/* Used by crng_make_state() to extract a new seed when crng_init==0. */
++/* Used by crng_reseed() and crng_make_state() to extract a new seed from the input pool. */
+ static void extract_entropy(void *buf, size_t nbytes);
+
+-/*
+- * This extracts a new crng key from the input pool, but only if there is a
+- * sufficient amount of entropy available, in order to mitigate bruteforcing
+- * of newly added bits.
+- */
++/* This extracts a new crng key from the input pool. */
+ static void crng_reseed(void)
+ {
+ unsigned long flags;
+@@ -270,9 +265,7 @@ static void crng_reseed(void)
+ u8 key[CHACHA20_KEY_SIZE];
+ bool finalize_init = false;
+
+- /* Only reseed if we can, to prevent brute forcing a small amount of new bits. */
+- if (!drain_entropy(key, sizeof(key)))
+- return;
++ extract_entropy(key, sizeof(key));
+
+ /*
+ * We copy the new key into the base_crng, overwriting the old one,
+@@ -344,10 +337,10 @@ static void crng_fast_key_erasure(u8 key
+ }
+
+ /*
+- * Return whether the crng seed is considered to be sufficiently
+- * old that a reseeding might be attempted. This happens if the last
+- * reseeding was CRNG_RESEED_INTERVAL ago, or during early boot, at
+- * an interval proportional to the uptime.
++ * Return whether the crng seed is considered to be sufficiently old
++ * that a reseeding is needed. This happens if the last reseeding
++ * was CRNG_RESEED_INTERVAL ago, or during early boot, at an interval
++ * proportional to the uptime.
+ */
+ static bool crng_has_old_seed(void)
+ {
+@@ -359,7 +352,7 @@ static bool crng_has_old_seed(void)
+ if (uptime >= CRNG_RESEED_INTERVAL / HZ * 2)
+ WRITE_ONCE(early_boot, false);
+ else
+- interval = max_t(unsigned int, 5 * HZ,
++ interval = max_t(unsigned int, CRNG_RESEED_START_INTERVAL,
+ (unsigned int)uptime / 2 * HZ);
+ }
+ return time_after(jiffies, READ_ONCE(base_crng.birth) + interval);
+@@ -401,8 +394,8 @@ static void crng_make_state(u32 chacha_s
+ }
+
+ /*
+- * If the base_crng is old enough, we try to reseed, which in turn
+- * bumps the generation counter that we check below.
++ * If the base_crng is old enough, we reseed, which in turn bumps the
++ * generation counter that we check below.
+ */
+ if (unlikely(crng_has_old_seed()))
+ crng_reseed();
+@@ -731,30 +724,24 @@ EXPORT_SYMBOL(get_random_bytes_arch);
+ *
+ * After which, if added entropy should be credited:
+ *
+- * static void credit_entropy_bits(size_t nbits)
++ * static void credit_init_bits(size_t nbits)
+ *
+- * Finally, extract entropy via these two, with the latter one
+- * setting the entropy count to zero and extracting only if there
+- * is POOL_MIN_BITS entropy credited prior:
++ * Finally, extract entropy via:
+ *
+ * static void extract_entropy(void *buf, size_t nbytes)
+- * static bool drain_entropy(void *buf, size_t nbytes)
+ *
+ **********************************************************************/
+
+ enum {
+ POOL_BITS = BLAKE2S_HASH_SIZE * 8,
+- POOL_MIN_BITS = POOL_BITS, /* No point in settling for less. */
+- POOL_FAST_INIT_BITS = POOL_MIN_BITS / 2
++ POOL_INIT_BITS = POOL_BITS, /* No point in settling for less. */
++ POOL_FAST_INIT_BITS = POOL_INIT_BITS / 2
+ };
+
+-/* For notifying userspace should write into /dev/random. */
+-static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
+-
+ static struct {
+ struct blake2s_state hash;
+ spinlock_t lock;
+- unsigned int entropy_count;
++ unsigned int init_bits;
+ } input_pool = {
+ .hash.h = { BLAKE2S_IV0 ^ (0x01010000 | BLAKE2S_HASH_SIZE),
+ BLAKE2S_IV1, BLAKE2S_IV2, BLAKE2S_IV3, BLAKE2S_IV4,
+@@ -769,9 +756,9 @@ static void _mix_pool_bytes(const void *
+ }
+
+ /*
+- * This function adds bytes into the entropy "pool". It does not
+- * update the entropy estimate. The caller should call
+- * credit_entropy_bits if this is appropriate.
++ * This function adds bytes into the input pool. It does not
++ * update the initialization bit counter; the caller should call
++ * credit_init_bits if this is appropriate.
+ */
+ static void mix_pool_bytes(const void *in, size_t nbytes)
+ {
+@@ -828,43 +815,24 @@ static void extract_entropy(void *buf, s
+ memzero_explicit(&block, sizeof(block));
+ }
+
+-/*
+- * First we make sure we have POOL_MIN_BITS of entropy in the pool, and then we
+- * set the entropy count to zero (but don't actually touch any data). Only then
+- * can we extract a new key with extract_entropy().
+- */
+-static bool drain_entropy(void *buf, size_t nbytes)
+-{
+- unsigned int entropy_count;
+- do {
+- entropy_count = READ_ONCE(input_pool.entropy_count);
+- if (entropy_count < POOL_MIN_BITS)
+- return false;
+- } while (cmpxchg(&input_pool.entropy_count, entropy_count, 0) != entropy_count);
+- extract_entropy(buf, nbytes);
+- wake_up_interruptible(&random_write_wait);
+- kill_fasync(&fasync, SIGIO, POLL_OUT);
+- return true;
+-}
+-
+-static void credit_entropy_bits(size_t nbits)
++static void credit_init_bits(size_t nbits)
+ {
+- unsigned int entropy_count, orig, add;
++ unsigned int init_bits, orig, add;
+ unsigned long flags;
+
+- if (!nbits)
++ if (crng_ready() || !nbits)
+ return;
+
+ add = min_t(size_t, nbits, POOL_BITS);
+
+ do {
+- orig = READ_ONCE(input_pool.entropy_count);
+- entropy_count = min_t(unsigned int, POOL_BITS, orig + add);
+- } while (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig);
++ orig = READ_ONCE(input_pool.init_bits);
++ init_bits = min_t(unsigned int, POOL_BITS, orig + add);
++ } while (cmpxchg(&input_pool.init_bits, orig, init_bits) != orig);
+
+- if (!crng_ready() && entropy_count >= POOL_MIN_BITS)
++ if (!crng_ready() && init_bits >= POOL_INIT_BITS)
+ crng_reseed();
+- else if (unlikely(crng_init == 0 && entropy_count >= POOL_FAST_INIT_BITS)) {
++ else if (unlikely(crng_init == 0 && init_bits >= POOL_FAST_INIT_BITS)) {
+ spin_lock_irqsave(&base_crng.lock, flags);
+ if (crng_init == 0) {
+ extract_entropy(base_crng.key, sizeof(base_crng.key));
+@@ -970,13 +938,10 @@ int __init rand_initialize(void)
+ _mix_pool_bytes(&now, sizeof(now));
+ _mix_pool_bytes(utsname(), sizeof(*(utsname())));
+
+- extract_entropy(base_crng.key, sizeof(base_crng.key));
+- ++base_crng.generation;
+-
+- if (arch_init && trust_cpu && !crng_ready()) {
+- crng_init = 2;
+- pr_notice("crng init done (trusting CPU's manufacturer)\n");
+- }
++ if (crng_ready())
++ crng_reseed();
++ else if (arch_init && trust_cpu)
++ credit_init_bits(BLAKE2S_BLOCK_SIZE * 8);
+
+ if (ratelimit_disable) {
+ urandom_warning.interval = 0;
+@@ -1030,6 +995,9 @@ static void add_timer_randomness(struct
+ _mix_pool_bytes(&num, sizeof(num));
+ spin_unlock_irqrestore(&input_pool.lock, flags);
+
++ if (crng_ready())
++ return;
++
+ /*
+ * Calculate number of bits of randomness we probably added.
+ * We take into account the first, second and third-order deltas
+@@ -1060,7 +1028,7 @@ static void add_timer_randomness(struct
+ * Round down by 1 bit on general principles,
+ * and limit entropy estimate to 12 bits.
+ */
+- credit_entropy_bits(min_t(unsigned int, fls(delta >> 1), 11));
++ credit_init_bits(min_t(unsigned int, fls(delta >> 1), 11));
+ }
+
+ void add_input_randomness(unsigned int type, unsigned int code,
+@@ -1113,18 +1081,15 @@ void rand_initialize_disk(struct gendisk
+ void add_hwgenerator_randomness(const void *buffer, size_t count,
+ size_t entropy)
+ {
++ mix_pool_bytes(buffer, count);
++ credit_init_bits(entropy);
++
+ /*
+- * Throttle writing if we're above the trickle threshold.
+- * We'll be woken up again once below POOL_MIN_BITS, when
+- * the calling thread is about to terminate, or once
+- * CRNG_RESEED_INTERVAL has elapsed.
++ * Throttle writing to once every CRNG_RESEED_INTERVAL, unless
++ * we're not yet initialized.
+ */
+- wait_event_interruptible_timeout(random_write_wait,
+- kthread_should_stop() ||
+- input_pool.entropy_count < POOL_MIN_BITS,
+- CRNG_RESEED_INTERVAL);
+- mix_pool_bytes(buffer, count);
+- credit_entropy_bits(entropy);
++ if (!kthread_should_stop() && crng_ready())
++ schedule_timeout_interruptible(CRNG_RESEED_INTERVAL);
+ }
+ EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
+
+@@ -1136,7 +1101,7 @@ void add_bootloader_randomness(const voi
+ {
+ mix_pool_bytes(buf, size);
+ if (trust_bootloader)
+- credit_entropy_bits(size * 8);
++ credit_init_bits(size * 8);
+ }
+ EXPORT_SYMBOL_GPL(add_bootloader_randomness);
+
+@@ -1237,7 +1202,7 @@ static void mix_interrupt_randomness(str
+ local_irq_enable();
+
+ mix_pool_bytes(pool, sizeof(pool));
+- credit_entropy_bits(1);
++ credit_init_bits(1);
+
+ memzero_explicit(pool, sizeof(pool));
+ }
+@@ -1284,7 +1249,7 @@ EXPORT_SYMBOL_GPL(add_interrupt_randomne
+ */
+ static void entropy_timer(unsigned long data)
+ {
+- credit_entropy_bits(1);
++ credit_init_bits(1);
+ }
+
+ /*
+@@ -1377,16 +1342,8 @@ SYSCALL_DEFINE3(getrandom, char __user *
+
+ static unsigned int random_poll(struct file *file, poll_table *wait)
+ {
+- unsigned int mask;
+-
+ poll_wait(file, &crng_init_wait, wait);
+- poll_wait(file, &random_write_wait, wait);
+- mask = 0;
+- if (crng_ready())
+- mask |= POLLIN | POLLRDNORM;
+- if (input_pool.entropy_count < POOL_MIN_BITS)
+- mask |= POLLOUT | POLLWRNORM;
+- return mask;
++ return crng_ready() ? POLLIN | POLLRDNORM : POLLOUT | POLLWRNORM;
+ }
+
+ static int write_pool(const char __user *ubuf, size_t count)
+@@ -1459,7 +1416,7 @@ static long random_ioctl(struct file *f,
+ switch (cmd) {
+ case RNDGETENTCNT:
+ /* Inherently racy, no point locking. */
+- if (put_user(input_pool.entropy_count, p))
++ if (put_user(input_pool.init_bits, p))
+ return -EFAULT;
+ return 0;
+ case RNDADDTOENTCNT:
+@@ -1469,7 +1426,7 @@ static long random_ioctl(struct file *f,
+ return -EFAULT;
+ if (ent_count < 0)
+ return -EINVAL;
+- credit_entropy_bits(ent_count);
++ credit_init_bits(ent_count);
+ return 0;
+ case RNDADDENTROPY:
+ if (!capable(CAP_SYS_ADMIN))
+@@ -1483,20 +1440,13 @@ static long random_ioctl(struct file *f,
+ retval = write_pool((const char __user *)p, size);
+ if (retval < 0)
+ return retval;
+- credit_entropy_bits(ent_count);
++ credit_init_bits(ent_count);
+ return 0;
+ case RNDZAPENTCNT:
+ case RNDCLEARPOOL:
+- /*
+- * Clear the entropy pool counters. We no longer clear
+- * the entropy pool, as that's silly.
+- */
++ /* No longer has any effect. */
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+- if (xchg(&input_pool.entropy_count, 0) >= POOL_MIN_BITS) {
+- wake_up_interruptible(&random_write_wait);
+- kill_fasync(&fasync, SIGIO, POLL_OUT);
+- }
+ return 0;
+ case RNDRESEEDCRNG:
+ if (!capable(CAP_SYS_ADMIN))
+@@ -1553,7 +1503,7 @@ const struct file_operations urandom_fop
+ *
+ * - write_wakeup_threshold - the amount of entropy in the input pool
+ * below which write polls to /dev/random will unblock, requesting
+- * more entropy, tied to the POOL_MIN_BITS constant. It is writable
++ * more entropy, tied to the POOL_INIT_BITS constant. It is writable
+ * to avoid breaking old userspaces, but writing to it does not
+ * change any behavior of the RNG.
+ *
+@@ -1568,7 +1518,7 @@ const struct file_operations urandom_fop
+ #include <linux/sysctl.h>
+
+ static int sysctl_random_min_urandom_seed = CRNG_RESEED_INTERVAL / HZ;
+-static int sysctl_random_write_wakeup_bits = POOL_MIN_BITS;
++static int sysctl_random_write_wakeup_bits = POOL_INIT_BITS;
+ static int sysctl_poolsize = POOL_BITS;
+ static u8 sysctl_bootid[UUID_SIZE];
+
+@@ -1625,7 +1575,7 @@ struct ctl_table random_table[] = {
+ },
+ {
+ .procname = "entropy_avail",
+- .data = &input_pool.entropy_count,
++ .data = &input_pool.init_bits,
+ .maxlen = sizeof(int),
+ .mode = 0444,
+ .proc_handler = proc_dointvec,
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 29 Dec 2021 22:10:04 +0100
+Subject: random: do not re-init if crng_reseed completes before primary init
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 9c3ddde3f811aabbb83778a2a615bf141b4909ef upstream.
+
+If the bootloader supplies sufficient material and crng_reseed() is called
+very early on, but not too early that wqs aren't available yet, then we
+might transition to crng_init==2 before rand_initialize()'s call to
+crng_initialize_primary() made. Then, when crng_initialize_primary() is
+called, if we're trusting the CPU's RDRAND instructions, we'll
+needlessly reinitialize the RNG and emit a message about it. This is
+mostly harmless, as numa_crng_init() will allocate and then free what it
+just allocated, and excessive calls to invalidate_batched_entropy()
+aren't so harmful. But it is funky and the extra message is confusing,
+so avoid the re-initialization all together by checking for crng_init <
+2 in crng_initialize_primary(), just as we already do in crng_reseed().
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -828,7 +828,7 @@ static void __init crng_initialize_prima
+ {
+ memcpy(&crng->state[0], "expand 32-byte k", 16);
+ _extract_entropy(&input_pool, &crng->state[4], sizeof(__u32) * 12, 0);
+- if (crng_init_try_arch_early(crng) && trust_cpu) {
++ if (crng_init_try_arch_early(crng) && trust_cpu && crng_init < 2) {
+ invalidate_batched_entropy();
+ numa_crng_init();
+ crng_init = 2;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 24 Dec 2021 19:17:58 +0100
+Subject: random: do not sign extend bytes for rotation when mixing
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 0d9488ffbf2faddebc6bac055bfa6c93b94056a3 upstream.
+
+By using `char` instead of `unsigned char`, certain platforms will sign
+extend the byte when `w = rol32(*bytes++, input_rotate)` is called,
+meaning that bit 7 is overrepresented when mixing. This isn't a real
+problem (unless the mixer itself is already broken) since it's still
+invertible, but it's not quite correct either. Fix this by using an
+explicit unsigned type.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -549,7 +549,7 @@ static void _mix_pool_bytes(struct entro
+ unsigned long i, tap1, tap2, tap3, tap4, tap5;
+ int input_rotate;
+ int wordmask = r->poolinfo->poolwords - 1;
+- const char *bytes = in;
++ const unsigned char *bytes = in;
+ __u32 w;
+
+ tap1 = r->poolinfo->tap1;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Jan Varho <jan.varho@gmail.com>
+Date: Mon, 4 Apr 2022 19:42:30 +0300
+Subject: random: do not split fast init input in add_hwgenerator_randomness()
+
+From: Jan Varho <jan.varho@gmail.com>
+
+commit 527a9867af29ff89f278d037db704e0ed50fb666 upstream.
+
+add_hwgenerator_randomness() tries to only use the required amount of input
+for fast init, but credits all the entropy, rather than a fraction of
+it. Since it's hard to determine how much entropy is left over out of a
+non-unformly random sample, either give it all to fast init or credit
+it, but don't attempt to do both. In the process, we can clean up the
+injection code to no longer need to return a value.
+
+Signed-off-by: Jan Varho <jan.varho@gmail.com>
+[Jason: expanded commit message]
+Fixes: 73c7733f122e ("random: do not throw away excess input to crng_fast_load")
+Cc: stable@vger.kernel.org # 5.17+, requires af704c856e88
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 23 ++++++-----------------
+ 1 file changed, 6 insertions(+), 17 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -437,11 +437,8 @@ static void crng_make_state(u32 chacha_s
+ * This shouldn't be set by functions like add_device_randomness(),
+ * where we can't trust the buffer passed to it is guaranteed to be
+ * unpredictable (so it might not have any entropy at all).
+- *
+- * Returns the number of bytes processed from input, which is bounded
+- * by CRNG_INIT_CNT_THRESH if account is true.
+ */
+-static size_t crng_pre_init_inject(const void *input, size_t len, bool account)
++static void crng_pre_init_inject(const void *input, size_t len, bool account)
+ {
+ static int crng_init_cnt = 0;
+ struct blake2s_state hash;
+@@ -452,18 +449,15 @@ static size_t crng_pre_init_inject(const
+ spin_lock_irqsave(&base_crng.lock, flags);
+ if (crng_init != 0) {
+ spin_unlock_irqrestore(&base_crng.lock, flags);
+- return 0;
++ return;
+ }
+
+- if (account)
+- len = min_t(size_t, len, CRNG_INIT_CNT_THRESH - crng_init_cnt);
+-
+ blake2s_update(&hash, base_crng.key, sizeof(base_crng.key));
+ blake2s_update(&hash, input, len);
+ blake2s_final(&hash, base_crng.key);
+
+ if (account) {
+- crng_init_cnt += len;
++ crng_init_cnt += min_t(size_t, len, CRNG_INIT_CNT_THRESH - crng_init_cnt);
+ if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
+ ++base_crng.generation;
+ crng_init = 1;
+@@ -474,8 +468,6 @@ static size_t crng_pre_init_inject(const
+
+ if (crng_init == 1)
+ pr_notice("fast init done\n");
+-
+- return len;
+ }
+
+ static void _get_random_bytes(void *buf, size_t nbytes)
+@@ -1133,12 +1125,9 @@ void add_hwgenerator_randomness(const vo
+ size_t entropy)
+ {
+ if (unlikely(crng_init == 0 && entropy < POOL_MIN_BITS)) {
+- size_t ret = crng_pre_init_inject(buffer, count, true);
+- mix_pool_bytes(buffer, ret);
+- count -= ret;
+- buffer += ret;
+- if (!count || crng_init == 0)
+- return;
++ crng_pre_init_inject(buffer, count, true);
++ mix_pool_bytes(buffer, count);
++ return;
+ }
+
+ /*
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 12 Feb 2022 01:26:17 +0100
+Subject: random: do not take pool spinlock at boot
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit afba0b80b977b2a8f16234f2acd982f82710ba33 upstream.
+
+Since rand_initialize() is run while interrupts are still off and
+nothing else is running, we don't need to repeatedly take and release
+the pool spinlock, especially in the RDSEED loop.
+
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -973,10 +973,10 @@ int __init rand_initialize(void)
+ rv = random_get_entropy();
+ arch_init = false;
+ }
+- mix_pool_bytes(&rv, sizeof(rv));
++ _mix_pool_bytes(&rv, sizeof(rv));
+ }
+- mix_pool_bytes(&now, sizeof(now));
+- mix_pool_bytes(utsname(), sizeof(*(utsname())));
++ _mix_pool_bytes(&now, sizeof(now));
++ _mix_pool_bytes(utsname(), sizeof(*(utsname())));
+
+ extract_entropy(base_crng.key, sizeof(base_crng.key));
+ ++base_crng.generation;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 3 May 2022 14:14:32 +0200
+Subject: random: do not use batches when !crng_ready()
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit cbe89e5a375a51bbb952929b93fa973416fea74e upstream.
+
+It's too hard to keep the batches synchronized, and pointless anyway,
+since in !crng_ready(), we're updating the base_crng key really often,
+where batching only hurts. So instead, if the crng isn't ready, just
+call into get_random_bytes(). At this stage nothing is performance
+critical anyhow.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 158 ++++++++++++++++++--------------------------------
+ 1 file changed, 59 insertions(+), 99 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -233,10 +233,7 @@ static void _warn_unseeded_randomness(co
+ *
+ *********************************************************************/
+
+-enum {
+- CRNG_RESEED_INTERVAL = 300 * HZ,
+- CRNG_INIT_CNT_THRESH = 2 * CHACHA20_KEY_SIZE
+-};
++enum { CRNG_RESEED_INTERVAL = 300 * HZ };
+
+ static struct {
+ u8 key[CHACHA20_KEY_SIZE] __aligned(__alignof__(long));
+@@ -258,6 +255,8 @@ static DEFINE_PER_CPU(struct crng, crngs
+
+ /* Used by crng_reseed() to extract a new seed from the input pool. */
+ static bool drain_entropy(void *buf, size_t nbytes);
++/* Used by crng_make_state() to extract a new seed when crng_init==0. */
++static void extract_entropy(void *buf, size_t nbytes);
+
+ /*
+ * This extracts a new crng key from the input pool, but only if there is a
+@@ -382,17 +381,20 @@ static void crng_make_state(u32 chacha_s
+ /*
+ * For the fast path, we check whether we're ready, unlocked first, and
+ * then re-check once locked later. In the case where we're really not
+- * ready, we do fast key erasure with the base_crng directly, because
+- * this is what crng_pre_init_inject() mutates during early init.
++ * ready, we do fast key erasure with the base_crng directly, extracting
++ * when crng_init==0.
+ */
+ if (!crng_ready()) {
+ bool ready;
+
+ spin_lock_irqsave(&base_crng.lock, flags);
+ ready = crng_ready();
+- if (!ready)
++ if (!ready) {
++ if (crng_init == 0)
++ extract_entropy(base_crng.key, sizeof(base_crng.key));
+ crng_fast_key_erasure(base_crng.key, chacha_state,
+ random_data, random_data_len);
++ }
+ spin_unlock_irqrestore(&base_crng.lock, flags);
+ if (!ready)
+ return;
+@@ -433,50 +435,6 @@ static void crng_make_state(u32 chacha_s
+ local_irq_restore(flags);
+ }
+
+-/*
+- * This function is for crng_init == 0 only. It loads entropy directly
+- * into the crng's key, without going through the input pool. It is,
+- * generally speaking, not very safe, but we use this only at early
+- * boot time when it's better to have something there rather than
+- * nothing.
+- *
+- * If account is set, then the crng_init_cnt counter is incremented.
+- * This shouldn't be set by functions like add_device_randomness(),
+- * where we can't trust the buffer passed to it is guaranteed to be
+- * unpredictable (so it might not have any entropy at all).
+- */
+-static void crng_pre_init_inject(const void *input, size_t len, bool account)
+-{
+- static int crng_init_cnt = 0;
+- struct blake2s_state hash;
+- unsigned long flags;
+-
+- blake2s_init(&hash, sizeof(base_crng.key));
+-
+- spin_lock_irqsave(&base_crng.lock, flags);
+- if (crng_init != 0) {
+- spin_unlock_irqrestore(&base_crng.lock, flags);
+- return;
+- }
+-
+- blake2s_update(&hash, base_crng.key, sizeof(base_crng.key));
+- blake2s_update(&hash, input, len);
+- blake2s_final(&hash, base_crng.key);
+-
+- if (account) {
+- crng_init_cnt += min_t(size_t, len, CRNG_INIT_CNT_THRESH - crng_init_cnt);
+- if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
+- ++base_crng.generation;
+- crng_init = 1;
+- }
+- }
+-
+- spin_unlock_irqrestore(&base_crng.lock, flags);
+-
+- if (crng_init == 1)
+- pr_notice("fast init done\n");
+-}
+-
+ static void _get_random_bytes(void *buf, size_t nbytes)
+ {
+ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)];
+@@ -622,6 +580,11 @@ u64 get_random_u64(void)
+
+ warn_unseeded_randomness(&previous);
+
++ if (!crng_ready()) {
++ _get_random_bytes(&ret, sizeof(ret));
++ return ret;
++ }
++
+ local_irq_save(flags);
+ batch = raw_cpu_ptr(&batched_entropy_u64);
+
+@@ -655,6 +618,11 @@ u32 get_random_u32(void)
+
+ warn_unseeded_randomness(&previous);
+
++ if (!crng_ready()) {
++ _get_random_bytes(&ret, sizeof(ret));
++ return ret;
++ }
++
+ local_irq_save(flags);
+ batch = raw_cpu_ptr(&batched_entropy_u32);
+
+@@ -776,7 +744,8 @@ EXPORT_SYMBOL(get_random_bytes_arch);
+
+ enum {
+ POOL_BITS = BLAKE2S_HASH_SIZE * 8,
+- POOL_MIN_BITS = POOL_BITS /* No point in settling for less. */
++ POOL_MIN_BITS = POOL_BITS, /* No point in settling for less. */
++ POOL_FAST_INIT_BITS = POOL_MIN_BITS / 2
+ };
+
+ /* For notifying userspace should write into /dev/random. */
+@@ -813,24 +782,6 @@ static void mix_pool_bytes(const void *i
+ spin_unlock_irqrestore(&input_pool.lock, flags);
+ }
+
+-static void credit_entropy_bits(size_t nbits)
+-{
+- unsigned int entropy_count, orig, add;
+-
+- if (!nbits)
+- return;
+-
+- add = min_t(size_t, nbits, POOL_BITS);
+-
+- do {
+- orig = READ_ONCE(input_pool.entropy_count);
+- entropy_count = min_t(unsigned int, POOL_BITS, orig + add);
+- } while (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig);
+-
+- if (!crng_ready() && entropy_count >= POOL_MIN_BITS)
+- crng_reseed();
+-}
+-
+ /*
+ * This is an HKDF-like construction for using the hashed collected entropy
+ * as a PRF key, that's then expanded block-by-block.
+@@ -896,6 +847,33 @@ static bool drain_entropy(void *buf, siz
+ return true;
+ }
+
++static void credit_entropy_bits(size_t nbits)
++{
++ unsigned int entropy_count, orig, add;
++ unsigned long flags;
++
++ if (!nbits)
++ return;
++
++ add = min_t(size_t, nbits, POOL_BITS);
++
++ do {
++ orig = READ_ONCE(input_pool.entropy_count);
++ entropy_count = min_t(unsigned int, POOL_BITS, orig + add);
++ } while (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig);
++
++ if (!crng_ready() && entropy_count >= POOL_MIN_BITS)
++ crng_reseed();
++ else if (unlikely(crng_init == 0 && entropy_count >= POOL_FAST_INIT_BITS)) {
++ spin_lock_irqsave(&base_crng.lock, flags);
++ if (crng_init == 0) {
++ extract_entropy(base_crng.key, sizeof(base_crng.key));
++ crng_init = 1;
++ }
++ spin_unlock_irqrestore(&base_crng.lock, flags);
++ }
++}
++
+
+ /**********************************************************************
+ *
+@@ -938,9 +916,9 @@ static bool drain_entropy(void *buf, siz
+ * entropy as specified by the caller. If the entropy pool is full it will
+ * block until more entropy is needed.
+ *
+- * add_bootloader_randomness() is the same as add_hwgenerator_randomness() or
+- * add_device_randomness(), depending on whether or not the configuration
+- * option CONFIG_RANDOM_TRUST_BOOTLOADER is set.
++ * add_bootloader_randomness() is called by bootloader drivers, such as EFI
++ * and device tree, and credits its input depending on whether or not the
++ * configuration option CONFIG_RANDOM_TRUST_BOOTLOADER is set.
+ *
+ * add_interrupt_randomness() uses the interrupt timing as random
+ * inputs to the entropy pool. Using the cycle counters and the irq source
+@@ -1020,9 +998,6 @@ void add_device_randomness(const void *b
+ unsigned long entropy = random_get_entropy();
+ unsigned long flags;
+
+- if (crng_init == 0 && size)
+- crng_pre_init_inject(buf, size, false);
+-
+ spin_lock_irqsave(&input_pool.lock, flags);
+ _mix_pool_bytes(&entropy, sizeof(entropy));
+ _mix_pool_bytes(buf, size);
+@@ -1138,12 +1113,6 @@ void rand_initialize_disk(struct gendisk
+ void add_hwgenerator_randomness(const void *buffer, size_t count,
+ size_t entropy)
+ {
+- if (unlikely(crng_init == 0 && entropy < POOL_MIN_BITS)) {
+- crng_pre_init_inject(buffer, count, true);
+- mix_pool_bytes(buffer, count);
+- return;
+- }
+-
+ /*
+ * Throttle writing if we're above the trickle threshold.
+ * We'll be woken up again once below POOL_MIN_BITS, when
+@@ -1151,7 +1120,7 @@ void add_hwgenerator_randomness(const vo
+ * CRNG_RESEED_INTERVAL has elapsed.
+ */
+ wait_event_interruptible_timeout(random_write_wait,
+- !system_wq || kthread_should_stop() ||
++ kthread_should_stop() ||
+ input_pool.entropy_count < POOL_MIN_BITS,
+ CRNG_RESEED_INTERVAL);
+ mix_pool_bytes(buffer, count);
+@@ -1160,17 +1129,14 @@ void add_hwgenerator_randomness(const vo
+ EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
+
+ /*
+- * Handle random seed passed by bootloader.
+- * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise
+- * it would be regarded as device data.
+- * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER.
++ * Handle random seed passed by bootloader, and credit it if
++ * CONFIG_RANDOM_TRUST_BOOTLOADER is set.
+ */
+ void add_bootloader_randomness(const void *buf, size_t size)
+ {
++ mix_pool_bytes(buf, size);
+ if (trust_bootloader)
+- add_hwgenerator_randomness(buf, size, size * 8);
+- else
+- add_device_randomness(buf, size);
++ credit_entropy_bits(size * 8);
+ }
+ EXPORT_SYMBOL_GPL(add_bootloader_randomness);
+
+@@ -1270,13 +1236,8 @@ static void mix_interrupt_randomness(str
+ fast_pool->last = jiffies;
+ local_irq_enable();
+
+- if (unlikely(crng_init == 0)) {
+- crng_pre_init_inject(pool, sizeof(pool), true);
+- mix_pool_bytes(pool, sizeof(pool));
+- } else {
+- mix_pool_bytes(pool, sizeof(pool));
+- credit_entropy_bits(1);
+- }
++ mix_pool_bytes(pool, sizeof(pool));
++ credit_entropy_bits(1);
+
+ memzero_explicit(pool, sizeof(pool));
+ }
+@@ -1298,8 +1259,7 @@ void add_interrupt_randomness(int irq)
+ if (new_count & MIX_INFLIGHT)
+ return;
+
+- if (new_count < 64 && (!time_is_before_jiffies(fast_pool->last + HZ) ||
+- unlikely(crng_init == 0)))
++ if (new_count < 64 && !time_is_before_jiffies(fast_pool->last + HZ))
+ return;
+
+ if (unlikely(!fast_pool->mix.func))
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 6 May 2022 18:30:51 +0200
+Subject: random: do not use input pool from hard IRQs
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit e3e33fc2ea7fcefd0d761db9d6219f83b4248f5c upstream.
+
+Years ago, a separate fast pool was added for interrupts, so that the
+cost associated with taking the input pool spinlocks and mixing into it
+would be avoided in places where latency is critical. However, one
+oversight was that add_input_randomness() and add_disk_randomness()
+still sometimes are called directly from the interrupt handler, rather
+than being deferred to a thread. This means that some unlucky interrupts
+will be caught doing a blake2s_compress() call and potentially spinning
+on input_pool.lock, which can also be taken by unprivileged users by
+writing into /dev/urandom.
+
+In order to fix this, add_timer_randomness() now checks whether it is
+being called from a hard IRQ and if so, just mixes into the per-cpu IRQ
+fast pool using fast_mix(), which is much faster and can be done
+lock-free. A nice consequence of this, as well, is that it means hard
+IRQ context FPU support is likely no longer useful.
+
+The entropy estimation algorithm used by add_timer_randomness() is also
+somewhat different than the one used for add_interrupt_randomness(). The
+former looks at deltas of deltas of deltas, while the latter just waits
+for 64 interrupts for one bit or for one second since the last bit. In
+order to bridge these, and since add_interrupt_randomness() runs after
+an add_timer_randomness() that's called from hard IRQ, we add to the
+fast pool credit the related amount, and then subtract one to account
+for add_interrupt_randomness()'s contribution.
+
+A downside of this, however, is that the num argument is potentially
+attacker controlled, which puts a bit more pressure on the fast_mix()
+sponge to do more than it's really intended to do. As a mitigating
+factor, the first 96 bits of input aren't attacker controlled (a cycle
+counter followed by zeros), which means it's essentially two rounds of
+siphash rather than one, which is somewhat better. It's also not that
+much different from add_interrupt_randomness()'s use of the irq stack
+instruction pointer register.
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Filipe Manana <fdmanana@suse.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 51 +++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 36 insertions(+), 15 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1081,6 +1081,7 @@ static void mix_interrupt_randomness(str
+ * we don't wind up "losing" some.
+ */
+ unsigned long pool[2];
++ unsigned int count;
+
+ /* Check to see if we're running on the wrong CPU due to hotplug. */
+ local_irq_disable();
+@@ -1094,12 +1095,13 @@ static void mix_interrupt_randomness(str
+ * consistent view, before we reenable irqs again.
+ */
+ memcpy(pool, fast_pool->pool, sizeof(pool));
++ count = fast_pool->count;
+ fast_pool->count = 0;
+ fast_pool->last = jiffies;
+ local_irq_enable();
+
+ mix_pool_bytes(pool, sizeof(pool));
+- credit_init_bits(1);
++ credit_init_bits(max(1u, (count & U16_MAX) / 64));
+
+ memzero_explicit(pool, sizeof(pool));
+ }
+@@ -1139,22 +1141,30 @@ struct timer_rand_state {
+
+ /*
+ * This function adds entropy to the entropy "pool" by using timing
+- * delays. It uses the timer_rand_state structure to make an estimate
+- * of how many bits of entropy this call has added to the pool.
+- *
+- * The number "num" is also added to the pool - it should somehow describe
+- * the type of event which just happened. This is currently 0-255 for
+- * keyboard scan codes, and 256 upwards for interrupts.
++ * delays. It uses the timer_rand_state structure to make an estimate
++ * of how many bits of entropy this call has added to the pool. The
++ * value "num" is also added to the pool; it should somehow describe
++ * the type of event that just happened.
+ */
+ static void add_timer_randomness(struct timer_rand_state *state, unsigned int num)
+ {
+ unsigned long entropy = random_get_entropy(), now = jiffies, flags;
+ long delta, delta2, delta3;
++ unsigned int bits;
+
+- spin_lock_irqsave(&input_pool.lock, flags);
+- _mix_pool_bytes(&entropy, sizeof(entropy));
+- _mix_pool_bytes(&num, sizeof(num));
+- spin_unlock_irqrestore(&input_pool.lock, flags);
++ /*
++ * If we're in a hard IRQ, add_interrupt_randomness() will be called
++ * sometime after, so mix into the fast pool.
++ */
++ if (in_irq()) {
++ fast_mix(this_cpu_ptr(&irq_randomness)->pool,
++ (unsigned long[2]){ entropy, num });
++ } else {
++ spin_lock_irqsave(&input_pool.lock, flags);
++ _mix_pool_bytes(&entropy, sizeof(entropy));
++ _mix_pool_bytes(&num, sizeof(num));
++ spin_unlock_irqrestore(&input_pool.lock, flags);
++ }
+
+ if (crng_ready())
+ return;
+@@ -1185,11 +1195,22 @@ static void add_timer_randomness(struct
+ delta = delta3;
+
+ /*
+- * delta is now minimum absolute delta.
+- * Round down by 1 bit on general principles,
+- * and limit entropy estimate to 12 bits.
++ * delta is now minimum absolute delta. Round down by 1 bit
++ * on general principles, and limit entropy estimate to 11 bits.
++ */
++ bits = min(fls(delta >> 1), 11);
++
++ /*
++ * As mentioned above, if we're in a hard IRQ, add_interrupt_randomness()
++ * will run after this, which uses a different crediting scheme of 1 bit
++ * per every 64 interrupts. In order to let that function do accounting
++ * close to the one in this function, we credit a full 64/64 bit per bit,
++ * and then subtract one to account for the extra one added.
+ */
+- credit_init_bits(min_t(unsigned int, fls(delta >> 1), 11));
++ if (in_irq())
++ this_cpu_ptr(&irq_randomness)->count += max(1u, bits * 64) - 1;
++ else
++ credit_init_bits(bits);
+ }
+
+ void add_input_randomness(unsigned int type, unsigned int code,
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 8 Feb 2022 13:00:11 +0100
+Subject: random: do not xor RDRAND when writing into /dev/random
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 91c2afca290ed3034841c8c8532e69ed9e16cf34 upstream.
+
+Continuing the reasoning of "random: ensure early RDSEED goes through
+mixer on init", we don't want RDRAND interacting with anything without
+going through the mixer function, as a backdoored CPU could presumably
+cancel out data during an xor, which it'd have a harder time doing when
+being forced through a cryptographic hash function. There's actually no
+need at all to be calling RDRAND in write_pool(), because before we
+extract from the pool, we always do so with 32 bytes of RDSEED hashed in
+at that stage. Xoring at this stage is needless and introduces a minor
+liability.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 14 ++------------
+ 1 file changed, 2 insertions(+), 12 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1305,25 +1305,15 @@ static unsigned int random_poll(struct f
+ static int write_pool(const char __user *buffer, size_t count)
+ {
+ size_t bytes;
+- u32 t, buf[16];
++ u8 buf[BLAKE2S_BLOCK_SIZE];
+ const char __user *p = buffer;
+
+ while (count > 0) {
+- int b, i = 0;
+-
+ bytes = min(count, sizeof(buf));
+- if (copy_from_user(&buf, p, bytes))
++ if (copy_from_user(buf, p, bytes))
+ return -EFAULT;
+-
+- for (b = bytes; b > 0; b -= sizeof(u32), i++) {
+- if (!arch_get_random_int(&t))
+- break;
+- buf[i] ^= t;
+- }
+-
+ count -= bytes;
+ p += bytes;
+-
+ mix_pool_bytes(buf, bytes);
+ cond_resched();
+ }
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Mark Brown <broonie@kernel.org>
+Date: Wed, 1 Dec 2021 17:44:49 +0000
+Subject: random: document add_hwgenerator_randomness() with other input functions
+
+From: Mark Brown <broonie@kernel.org>
+
+commit 2b6c6e3d9ce3aa0e547ac25d60e06fe035cd9f79 upstream.
+
+The section at the top of random.c which documents the input functions
+available does not document add_hwgenerator_randomness() which might lead
+a reader to overlook it. Add a brief note about it.
+
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[Jason: reorganize position of function in doc comment and also document
+ add_bootloader_randomness() while we're at it.]
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -202,6 +202,9 @@
+ * unsigned int value);
+ * void add_interrupt_randomness(int irq, int irq_flags);
+ * void add_disk_randomness(struct gendisk *disk);
++ * void add_hwgenerator_randomness(const char *buffer, size_t count,
++ * size_t entropy);
++ * void add_bootloader_randomness(const void *buf, unsigned int size);
+ *
+ * add_device_randomness() is for adding data to the random pool that
+ * is likely to differ between two devices (or possibly even per boot).
+@@ -228,6 +231,14 @@
+ * particular randomness source. They do this by keeping track of the
+ * first and second order deltas of the event timings.
+ *
++ * add_hwgenerator_randomness() is for true hardware RNGs, and will credit
++ * entropy as specified by the caller. If the entropy pool is full it will
++ * block until more entropy is needed.
++ *
++ * add_bootloader_randomness() is the same as add_hwgenerator_randomness() or
++ * add_device_randomness(), depending on whether or not the configuration
++ * option CONFIG_RANDOM_TRUST_BOOTLOADER is set.
++ *
+ * Ensuring unpredictability at system startup
+ * ============================================
+ *
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Mon, 18 Apr 2022 20:57:31 +0200
+Subject: random: document crng_fast_key_erasure() destination possibility
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 8717627d6ac53251ee012c3c7aca392f29f38a42 upstream.
+
+This reverts 35a33ff3807d ("random: use memmove instead of memcpy for
+remaining 32 bytes"), which was made on a totally bogus basis. The thing
+it was worried about overlapping came from the stack, not from one of
+its arguments, as Eric pointed out.
+
+But the fact that this confusion even happened draws attention to the
+fact that it's a bit non-obvious that the random_data parameter can
+alias chacha_state, and in fact should do so when the caller can't rely
+on the stack being cleared in a timely manner. So this commit documents
+that.
+
+Reported-by: Eric Biggers <ebiggers@kernel.org>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -318,6 +318,13 @@ static void crng_reseed(void)
+ * the resultant ChaCha state to the user, along with the second
+ * half of the block containing 32 bytes of random data that may
+ * be used; random_data_len may not be greater than 32.
++ *
++ * The returned ChaCha state contains within it a copy of the old
++ * key value, at index 4, so the state should always be zeroed out
++ * immediately after using in order to maintain forward secrecy.
++ * If the state cannot be erased in a timely manner, then it is
++ * safer to set the random_data parameter to &chacha_state[4] so
++ * that this function overwrites it before returning.
+ */
+ static void crng_fast_key_erasure(u8 key[CHACHA20_KEY_SIZE],
+ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)],
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: George Spelvin <lkml@sdf.org>
+Date: Fri, 19 Apr 2019 23:48:20 -0400
+Subject: random: document get_random_int() family
+
+From: George Spelvin <lkml@sdf.org>
+
+commit 92e507d216139b356a375afbda2824e85235e748 upstream.
+
+Explain what these functions are for and when they offer
+an advantage over get_random_bytes().
+
+(We still need documentation on rng_is_initialized(), the
+random_ready_callback system, and early boot in general.)
+
+Signed-off-by: George Spelvin <lkml@sdf.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 83 +++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 76 insertions(+), 7 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -101,15 +101,13 @@
+ * Exported interfaces ---- output
+ * ===============================
+ *
+- * There are three exported interfaces; the first is one designed to
+- * be used from within the kernel:
++ * There are four exported interfaces; two for use within the kernel,
++ * and two or use from userspace.
+ *
+- * void get_random_bytes(void *buf, int nbytes);
+- *
+- * This interface will return the requested number of random bytes,
+- * and place it in the requested buffer.
++ * Exported interfaces ---- userspace output
++ * -----------------------------------------
+ *
+- * The two other interfaces are two character devices /dev/random and
++ * The userspace interfaces are two character devices /dev/random and
+ * /dev/urandom. /dev/random is suitable for use when very high
+ * quality randomness is desired (for example, for key generation or
+ * one-time pads), as it will only return a maximum of the number of
+@@ -122,6 +120,77 @@
+ * this will result in random numbers that are merely cryptographically
+ * strong. For many applications, however, this is acceptable.
+ *
++ * Exported interfaces ---- kernel output
++ * --------------------------------------
++ *
++ * The primary kernel interface is
++ *
++ * void get_random_bytes(void *buf, int nbytes);
++ *
++ * This interface will return the requested number of random bytes,
++ * and place it in the requested buffer. This is equivalent to a
++ * read from /dev/urandom.
++ *
++ * For less critical applications, there are the functions:
++ *
++ * u32 get_random_u32()
++ * u64 get_random_u64()
++ * unsigned int get_random_int()
++ * unsigned long get_random_long()
++ *
++ * These are produced by a cryptographic RNG seeded from get_random_bytes,
++ * and so do not deplete the entropy pool as much. These are recommended
++ * for most in-kernel operations *if the result is going to be stored in
++ * the kernel*.
++ *
++ * Specifically, the get_random_int() family do not attempt to do
++ * "anti-backtracking". If you capture the state of the kernel (e.g.
++ * by snapshotting the VM), you can figure out previous get_random_int()
++ * return values. But if the value is stored in the kernel anyway,
++ * this is not a problem.
++ *
++ * It *is* safe to expose get_random_int() output to attackers (e.g. as
++ * network cookies); given outputs 1..n, it's not feasible to predict
++ * outputs 0 or n+1. The only concern is an attacker who breaks into
++ * the kernel later; the get_random_int() engine is not reseeded as
++ * often as the get_random_bytes() one.
++ *
++ * get_random_bytes() is needed for keys that need to stay secret after
++ * they are erased from the kernel. For example, any key that will
++ * be wrapped and stored encrypted. And session encryption keys: we'd
++ * like to know that after the session is closed and the keys erased,
++ * the plaintext is unrecoverable to someone who recorded the ciphertext.
++ *
++ * But for network ports/cookies, stack canaries, PRNG seeds, address
++ * space layout randomization, session *authentication* keys, or other
++ * applications where the sensitive data is stored in the kernel in
++ * plaintext for as long as it's sensitive, the get_random_int() family
++ * is just fine.
++ *
++ * Consider ASLR. We want to keep the address space secret from an
++ * outside attacker while the process is running, but once the address
++ * space is torn down, it's of no use to an attacker any more. And it's
++ * stored in kernel data structures as long as it's alive, so worrying
++ * about an attacker's ability to extrapolate it from the get_random_int()
++ * CRNG is silly.
++ *
++ * Even some cryptographic keys are safe to generate with get_random_int().
++ * In particular, keys for SipHash are generally fine. Here, knowledge
++ * of the key authorizes you to do something to a kernel object (inject
++ * packets to a network connection, or flood a hash table), and the
++ * key is stored with the object being protected. Once it goes away,
++ * we no longer care if anyone knows the key.
++ *
++ * prandom_u32()
++ * -------------
++ *
++ * For even weaker applications, see the pseudorandom generator
++ * prandom_u32(), prandom_max(), and prandom_bytes(). If the random
++ * numbers aren't security-critical at all, these are *far* cheaper.
++ * Useful for self-tests, random error simulation, randomized backoffs,
++ * and any other application where you trust that nobody is trying to
++ * maliciously mess with you by guessing the "random" numbers.
++ *
+ * Exported interfaces ---- input
+ * ==============================
+ *
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Mon, 28 Feb 2022 14:00:52 +0100
+Subject: random: don't let 644 read-only sysctls be written to
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 77553cf8f44863b31da242cf24671d76ddb61597 upstream.
+
+We leave around these old sysctls for compatibility, and we keep them
+"writable" for compatibility, but even after writing, we should keep
+reporting the same value. This is consistent with how userspaces tend to
+use sysctl_random_write_wakeup_bits, writing to it, and then later
+reading from it and using the value.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1662,6 +1662,13 @@ static int proc_do_uuid(struct ctl_table
+ return proc_dostring(&fake_table, 0, buffer, lenp, ppos);
+ }
+
++/* The same as proc_dointvec, but writes don't change anything. */
++static int proc_do_rointvec(struct ctl_table *table, int write, void __user *buffer,
++ size_t *lenp, loff_t *ppos)
++{
++ return write ? 0 : proc_dointvec(table, 0, buffer, lenp, ppos);
++}
++
+ extern struct ctl_table random_table[];
+ struct ctl_table random_table[] = {
+ {
+@@ -1683,14 +1690,14 @@ struct ctl_table random_table[] = {
+ .data = &sysctl_random_write_wakeup_bits,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+- .proc_handler = proc_dointvec,
++ .proc_handler = proc_do_rointvec,
+ },
+ {
+ .procname = "urandom_min_reseed_secs",
+ .data = &sysctl_random_min_urandom_seed,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+- .proc_handler = proc_dointvec,
++ .proc_handler = proc_do_rointvec,
+ },
+ {
+ .procname = "boot_id",
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Jann Horn <jannh@google.com>
+Date: Mon, 3 Jan 2022 16:59:31 +0100
+Subject: random: don't reset crng_init_cnt on urandom_read()
+
+From: Jann Horn <jannh@google.com>
+
+commit 6c8e11e08a5b74bb8a5cdd5cbc1e5143df0fba72 upstream.
+
+At the moment, urandom_read() (used for /dev/urandom) resets crng_init_cnt
+to zero when it is called at crng_init<2. This is inconsistent: We do it
+for /dev/urandom reads, but not for the equivalent
+getrandom(GRND_INSECURE).
+
+(And worse, as Jason pointed out, we're only doing this as long as
+maxwarn>0.)
+
+crng_init_cnt is only read in crng_fast_load(); it is relevant at
+crng_init==0 for determining when to switch to crng_init==1 (and where in
+the RNG state array to write).
+
+As far as I understand:
+
+ - crng_init==0 means "we have nothing, we might just be returning the same
+ exact numbers on every boot on every machine, we don't even have
+ non-cryptographic randomness; we should shove every bit of entropy we
+ can get into the RNG immediately"
+ - crng_init==1 means "well we have something, it might not be
+ cryptographic, but at least we're not gonna return the same data every
+ time or whatever, it's probably good enough for TCP and ASLR and stuff;
+ we now have time to build up actual cryptographic entropy in the input
+ pool"
+ - crng_init==2 means "this is supposed to be cryptographically secure now,
+ but we'll keep adding more entropy just to be sure".
+
+The current code means that if someone is pulling data from /dev/urandom
+fast enough at crng_init==0, we'll keep resetting crng_init_cnt, and we'll
+never make forward progress to crng_init==1. It seems to be intended to
+prevent an attacker from bruteforcing the contents of small individual RNG
+inputs on the way from crng_init==0 to crng_init==1, but that's misguided;
+crng_init==1 isn't supposed to provide proper cryptographic security
+anyway, RNG users who care about getting secure RNG output have to wait
+until crng_init==2.
+
+This code was inconsistent, and it probably made things worse - just get
+rid of it.
+
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1770,7 +1770,6 @@ urandom_read_nowarn(struct file *file, c
+ static ssize_t
+ urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
+ {
+- unsigned long flags;
+ static int maxwarn = 10;
+
+ if (!crng_ready() && maxwarn > 0) {
+@@ -1778,9 +1777,6 @@ urandom_read(struct file *file, char __u
+ if (__ratelimit(&urandom_warning))
+ pr_notice("%s: uninitialized urandom read (%zd bytes read)\n",
+ current->comm, nbytes);
+- spin_lock_irqsave(&primary_crng.lock, flags);
+- crng_init_cnt = 0;
+- spin_unlock_irqrestore(&primary_crng.lock, flags);
+ }
+
+ return urandom_read_nowarn(file, buf, nbytes, ppos);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Andy Lutomirski <luto@kernel.org>
+Date: Mon, 23 Dec 2019 00:20:44 -0800
+Subject: random: Don't wake crng_init_wait when crng_init == 1
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 4c8d062186d9923c09488716b2fb1b829b5b8006 upstream.
+
+crng_init_wait is only used to wayt for crng_init to be set to 2, so
+there's no point to waking it when crng_init is set to 1. Remove the
+unnecessary wake_up_interruptible() call.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Link: https://lore.kernel.org/r/6fbc0bfcbfc1fa2c76fd574f5b6f552b11be7fde.1577088521.git.luto@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -962,7 +962,6 @@ static int crng_fast_load(const char *cp
+ if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
+ invalidate_batched_entropy();
+ crng_init = 1;
+- wake_up_interruptible(&crng_init_wait);
+ pr_notice("random: fast init done\n");
+ }
+ return 1;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+Date: Fri, 31 Dec 2021 09:26:08 +0100
+Subject: random: early initialization of ChaCha constants
+
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+
+commit 96562f286884e2db89c74215b199a1084b5fb7f7 upstream.
+
+Previously, the ChaCha constants for the primary pool were only
+initialized in crng_initialize_primary(), called by rand_initialize().
+However, some randomness is actually extracted from the primary pool
+beforehand, e.g. by kmem_cache_create(). Therefore, statically
+initialize the ChaCha constants for the primary pool.
+
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: <linux-crypto@vger.kernel.org>
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 5 ++++-
+ include/crypto/chacha20.h | 15 +++++++++++----
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -458,6 +458,10 @@ struct crng_state {
+
+ static struct crng_state primary_crng = {
+ .lock = __SPIN_LOCK_UNLOCKED(primary_crng.lock),
++ .state[0] = CHACHA_CONSTANT_EXPA,
++ .state[1] = CHACHA_CONSTANT_ND_3,
++ .state[2] = CHACHA_CONSTANT_2_BY,
++ .state[3] = CHACHA_CONSTANT_TE_K,
+ };
+
+ /*
+@@ -824,7 +828,6 @@ static void crng_initialize_secondary(st
+
+ static void __init crng_initialize_primary(struct crng_state *crng)
+ {
+- chacha_init_consts(crng->state);
+ _extract_entropy(&input_pool, &crng->state[4], sizeof(__u32) * 12, 0);
+ if (crng_init_try_arch_early(crng) && trust_cpu && crng_init < 2) {
+ invalidate_batched_entropy();
+--- a/include/crypto/chacha20.h
++++ b/include/crypto/chacha20.h
+@@ -25,12 +25,19 @@ int crypto_chacha20_setkey(struct crypto
+ unsigned int keysize);
+ int crypto_chacha20_crypt(struct skcipher_request *req);
+
++enum chacha_constants { /* expand 32-byte k */
++ CHACHA_CONSTANT_EXPA = 0x61707865U,
++ CHACHA_CONSTANT_ND_3 = 0x3320646eU,
++ CHACHA_CONSTANT_2_BY = 0x79622d32U,
++ CHACHA_CONSTANT_TE_K = 0x6b206574U
++};
++
+ static inline void chacha_init_consts(u32 *state)
+ {
+- state[0] = 0x61707865; /* "expa" */
+- state[1] = 0x3320646e; /* "nd 3" */
+- state[2] = 0x79622d32; /* "2-by" */
+- state[3] = 0x6b206574; /* "te k" */
++ state[0] = CHACHA_CONSTANT_EXPA;
++ state[1] = CHACHA_CONSTANT_ND_3;
++ state[2] = CHACHA_CONSTANT_2_BY;
++ state[3] = CHACHA_CONSTANT_TE_K;
+ }
+
+ #endif
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 8 Feb 2022 12:44:28 +0100
+Subject: random: ensure early RDSEED goes through mixer on init
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit a02cf3d0dd77244fd5333ac48d78871de459ae6d upstream.
+
+Continuing the reasoning of "random: use RDSEED instead of RDRAND in
+entropy extraction" from this series, at init time we also don't want to
+be xoring RDSEED directly into the crng. Instead it's safer to put it
+into our entropy collector and then re-extract it, so that it goes
+through a hash function with preimage resistance. As a matter of hygiene,
+we also order these now so that the RDSEED byte are hashed in first,
+followed by the bytes that are likely more predictable (e.g. utsname()).
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1208,24 +1208,18 @@ int __init rand_initialize(void)
+ bool arch_init = true;
+ unsigned long rv;
+
+- mix_pool_bytes(&now, sizeof(now));
+ for (i = BLAKE2S_BLOCK_SIZE; i > 0; i -= sizeof(rv)) {
+- if (!arch_get_random_seed_long(&rv) &&
+- !arch_get_random_long(&rv))
+- rv = random_get_entropy();
+- mix_pool_bytes(&rv, sizeof(rv));
+- }
+- mix_pool_bytes(utsname(), sizeof(*(utsname())));
+-
+- extract_entropy(&primary_crng.state[4], sizeof(u32) * 12);
+- for (i = 4; i < 16; i++) {
+ if (!arch_get_random_seed_long_early(&rv) &&
+ !arch_get_random_long_early(&rv)) {
+ rv = random_get_entropy();
+ arch_init = false;
+ }
+- primary_crng.state[i] ^= rv;
++ mix_pool_bytes(&rv, sizeof(rv));
+ }
++ mix_pool_bytes(&now, sizeof(now));
++ mix_pool_bytes(utsname(), sizeof(*(utsname())));
++
++ extract_entropy(&primary_crng.state[4], sizeof(u32) * 12);
+ if (arch_init && trust_cpu && crng_init < 2) {
+ invalidate_batched_entropy();
+ crng_init = 2;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+Date: Wed, 29 Dec 2021 22:10:03 +0100
+Subject: random: fix crash on multiple early calls to add_bootloader_randomness()
+
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+
+commit f7e67b8e803185d0aabe7f29d25a35c8be724a78 upstream.
+
+Currently, if CONFIG_RANDOM_TRUST_BOOTLOADER is enabled, multiple calls
+to add_bootloader_randomness() are broken and can cause a NULL pointer
+dereference, as noted by Ivan T. Ivanov. This is not only a hypothetical
+problem, as qemu on arm64 may provide bootloader entropy via EFI and via
+devicetree.
+
+On the first call to add_hwgenerator_randomness(), crng_fast_load() is
+executed, and if the seed is long enough, crng_init will be set to 1.
+On subsequent calls to add_bootloader_randomness() and then to
+add_hwgenerator_randomness(), crng_fast_load() will be skipped. Instead,
+wait_event_interruptible() and then credit_entropy_bits() will be called.
+If the entropy count for that second seed is large enough, that proceeds
+to crng_reseed().
+
+However, both wait_event_interruptible() and crng_reseed() depends
+(at least in numa_crng_init()) on workqueues. Therefore, test whether
+system_wq is already initialized, which is a sufficient indicator that
+workqueue_init_early() has progressed far enough.
+
+If we wind up hitting the !system_wq case, we later want to do what
+would have been done there when wqs are up, so set a flag, and do that
+work later from the rand_initialize() call.
+
+Reported-by: Ivan T. Ivanov <iivanov@suse.de>
+Fixes: 18b915ac6b0a ("efi/random: Treat EFI_RNG_PROTOCOL output as bootloader randomness")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+[Jason: added crng_need_done state and related logic.]
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 59 ++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 38 insertions(+), 21 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -496,6 +496,7 @@ static struct crng_state primary_crng =
+ * its value (from 0->1->2).
+ */
+ static int crng_init = 0;
++static bool crng_need_final_init = false;
+ #define crng_ready() (likely(crng_init > 1))
+ static int crng_init_cnt = 0;
+ static unsigned long crng_global_init_time = 0;
+@@ -885,6 +886,38 @@ static void crng_initialize(struct crng_
+ crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+ }
+
++static void crng_finalize_init(struct crng_state *crng)
++{
++ if (crng != &primary_crng || crng_init >= 2)
++ return;
++ if (!system_wq) {
++ /* We can't call numa_crng_init until we have workqueues,
++ * so mark this for processing later. */
++ crng_need_final_init = true;
++ return;
++ }
++
++ invalidate_batched_entropy();
++ numa_crng_init();
++ crng_init = 2;
++ process_random_ready_list();
++ wake_up_interruptible(&crng_init_wait);
++ kill_fasync(&fasync, SIGIO, POLL_IN);
++ pr_notice("crng init done\n");
++ if (unseeded_warning.missed) {
++ pr_notice("random: %d get_random_xx warning(s) missed "
++ "due to ratelimiting\n",
++ unseeded_warning.missed);
++ unseeded_warning.missed = 0;
++ }
++ if (urandom_warning.missed) {
++ pr_notice("random: %d urandom warning(s) missed "
++ "due to ratelimiting\n",
++ urandom_warning.missed);
++ urandom_warning.missed = 0;
++ }
++}
++
+ #ifdef CONFIG_NUMA
+ static void do_numa_crng_init(struct work_struct *work)
+ {
+@@ -1039,26 +1072,7 @@ static void crng_reseed(struct crng_stat
+ memzero_explicit(&buf, sizeof(buf));
+ WRITE_ONCE(crng->init_time, jiffies);
+ spin_unlock_irqrestore(&crng->lock, flags);
+- if (crng == &primary_crng && crng_init < 2) {
+- invalidate_batched_entropy();
+- numa_crng_init();
+- crng_init = 2;
+- process_random_ready_list();
+- wake_up_interruptible(&crng_init_wait);
+- pr_notice("random: crng init done\n");
+- if (unseeded_warning.missed) {
+- pr_notice("random: %d get_random_xx warning(s) missed "
+- "due to ratelimiting\n",
+- unseeded_warning.missed);
+- unseeded_warning.missed = 0;
+- }
+- if (urandom_warning.missed) {
+- pr_notice("random: %d urandom warning(s) missed "
+- "due to ratelimiting\n",
+- urandom_warning.missed);
+- urandom_warning.missed = 0;
+- }
+- }
++ crng_finalize_init(crng);
+ }
+
+ static void _extract_crng(struct crng_state *crng,
+@@ -1897,6 +1911,8 @@ int __init rand_initialize(void)
+ {
+ init_std_data(&input_pool);
+ init_std_data(&blocking_pool);
++ if (crng_need_final_init)
++ crng_finalize_init(&primary_crng);
+ crng_initialize(&primary_crng);
+ crng_global_init_time = jiffies;
+ if (ratelimit_disable) {
+@@ -2415,7 +2431,8 @@ void add_hwgenerator_randomness(const ch
+ * We'll be woken up again once below random_write_wakeup_thresh,
+ * or when the calling thread is about to terminate.
+ */
+- wait_event_interruptible(random_write_wait, kthread_should_stop() ||
++ wait_event_interruptible(random_write_wait,
++ !system_wq || kthread_should_stop() ||
+ ENTROPY_BITS(&input_pool) <= random_write_wakeup_bits);
+ mix_pool_bytes(poolp, buffer, count);
+ credit_entropy_bits(poolp, entropy);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+Date: Sat, 5 Feb 2022 11:34:57 +0100
+Subject: random: fix locking in crng_fast_load()
+
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+
+commit 7c2fe2b32bf76441ff5b7a425b384e5f75aa530a upstream.
+
+crng_init is protected by primary_crng->lock, so keep holding that lock
+when incrementing crng_init from 0 to 1 in crng_fast_load(). The call to
+pr_notice() can wait until the lock is released; this code path cannot
+be reached twice, as crng_fast_load() aborts early if crng_init > 0.
+
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -646,12 +646,13 @@ static size_t crng_fast_load(const u8 *c
+ p[crng_init_cnt % CHACHA20_KEY_SIZE] ^= *cp;
+ cp++; crng_init_cnt++; len--; ret++;
+ }
+- spin_unlock_irqrestore(&primary_crng.lock, flags);
+ if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
+ invalidate_batched_entropy();
+ crng_init = 1;
+- pr_notice("fast init done\n");
+ }
++ spin_unlock_irqrestore(&primary_crng.lock, flags);
++ if (crng_init == 1)
++ pr_notice("fast init done\n");
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 22 May 2019 12:02:16 -0400
+Subject: random: fix soft lockup when trying to read from an uninitialized blocking pool
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 58be0106c5306b939b07b4b8bf00669a20593f4b upstream.
+
+Fixes: eb9d1bf079bb: "random: only read from /dev/random after its pool has received 128 bits"
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -773,8 +773,11 @@ retry:
+ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
+ goto retry;
+
+- if (has_initialized)
++ if (has_initialized) {
+ r->initialized = 1;
++ wake_up_interruptible(&random_read_wait);
++ kill_fasync(&fasync, SIGIO, POLL_IN);
++ }
+
+ trace_credit_entropy_bits(r->name, nbits,
+ entropy_count >> ENTROPY_SHIFT, _RET_IP_);
+@@ -790,6 +793,13 @@ retry:
+ entropy_bits = r->entropy_count >> ENTROPY_SHIFT;
+ }
+
++ /* initialize the blocking pool if necessary */
++ if (entropy_bits >= random_read_wakeup_bits &&
++ !other->initialized) {
++ schedule_work(&other->push_work);
++ return;
++ }
++
+ /* should we wake readers? */
+ if (entropy_bits >= random_read_wakeup_bits &&
+ wq_has_sleeper(&random_read_wait)) {
+@@ -1939,8 +1949,8 @@ _random_read(int nonblock, char __user *
+ return -EAGAIN;
+
+ wait_event_interruptible(random_read_wait,
+- ENTROPY_BITS(&input_pool) >=
+- random_read_wakeup_bits);
++ blocking_pool.initialized &&
++ (ENTROPY_BITS(&input_pool) >= random_read_wakeup_bits));
+ if (signal_pending(current))
+ return -ERESTARTSYS;
+ }
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 3 May 2022 21:43:58 +0200
+Subject: random: fix sysctl documentation nits
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 069c4ea6871c18bd368f27756e0f91ffb524a788 upstream.
+
+A semicolon was missing, and the almost-alphabetical-but-not ordering
+was confusing, so regroup these by category instead.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/sysctl/kernel.txt | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/Documentation/sysctl/kernel.txt
++++ b/Documentation/sysctl/kernel.txt
+@@ -795,6 +795,9 @@ This is a directory, with the following
+ * ``boot_id``: a UUID generated the first time this is retrieved, and
+ unvarying after that;
+
++* ``uuid``: a UUID generated every time this is retrieved (this can
++ thus be used to generate UUIDs at will);
++
+ * ``entropy_avail``: the pool's entropy count, in bits;
+
+ * ``poolsize``: the entropy pool size, in bits;
+@@ -802,10 +805,7 @@ This is a directory, with the following
+ * ``urandom_min_reseed_secs``: obsolete (used to determine the minimum
+ number of seconds between urandom pool reseeding). This file is
+ writable for compatibility purposes, but writing to it has no effect
+- on any RNG behavior.
+-
+-* ``uuid``: a UUID generated every time this is retrieved (this can
+- thus be used to generate UUIDs at will);
++ on any RNG behavior;
+
+ * ``write_wakeup_threshold``: when the entropy count drops below this
+ (as a number of bits), processes waiting to write to ``/dev/random``
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Tue, 7 Jan 2020 16:55:34 -0500
+Subject: random: fix typo in add_timer_randomness()
+
+From: Yangtao Li <tiny.windzz@gmail.com>
+
+commit 727d499a6f4f29b6abdb635032f5e53e5905aedb upstream.
+
+s/entimate/estimate
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Link: https://lore.kernel.org/r/20190607182517.28266-4-tiny.windzz@gmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1211,7 +1211,7 @@ static void add_timer_randomness(struct
+ /*
+ * delta is now minimum absolute delta.
+ * Round down by 1 bit on general principles,
+- * and limit entropy entimate to 12 bits.
++ * and limit entropy estimate to 12 bits.
+ */
+ credit_entropy_bits(r, min_t(int, fls(delta>>1), 11));
+ }
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Schspa Shi <schspa@gmail.com>
+Date: Fri, 14 Jan 2022 16:12:16 +0800
+Subject: random: fix typo in comments
+
+From: Schspa Shi <schspa@gmail.com>
+
+commit c0a8a61e7abbf66729687ee63659ee25983fbb1e upstream.
+
+s/or/for
+
+Signed-off-by: Schspa Shi <schspa@gmail.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -101,7 +101,7 @@
+ * ===============================
+ *
+ * There are four exported interfaces; two for use within the kernel,
+- * and two or use from userspace.
++ * and two for use from userspace.
+ *
+ * Exported interfaces ---- userspace output
+ * -----------------------------------------
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Tobin C. Harding" <me@tobin.cc>
+Date: Fri, 22 Jun 2018 09:15:31 +1000
+Subject: random: Fix whitespace pre random-bytes work
+
+From: "Tobin C. Harding" <me@tobin.cc>
+
+commit 8ddd6efa56c3fe23df9fe4cf5e2b49cc55416ef4 upstream.
+
+There are a couple of whitespace issues around the function
+get_random_bytes_arch(). In preparation for patching this function
+let's clean them up.
+
+Acked-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Tobin C. Harding <me@tobin.cc>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1742,7 +1742,7 @@ void get_random_bytes_arch(void *buf, in
+
+ if (!arch_get_random_long(&v))
+ break;
+-
++
+ memcpy(p, &v, chunk);
+ p += chunk;
+ nbytes -= chunk;
+@@ -1753,7 +1753,6 @@ void get_random_bytes_arch(void *buf, in
+ }
+ EXPORT_SYMBOL(get_random_bytes_arch);
+
+-
+ /*
+ * init_std_data - initialize pool with system data
+ *
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Mon, 28 Feb 2022 13:57:57 +0100
+Subject: random: give sysctl_random_min_urandom_seed a more sensible value
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit d0efdf35a6a71d307a250199af6fce122a7c7e11 upstream.
+
+This isn't used by anything or anywhere, but we can't delete it due to
+compatibility. So at least give it the correct value of what it's
+supposed to be instead of a garbage one.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1612,7 +1612,7 @@ const struct file_operations urandom_fop
+ * to avoid breaking old userspaces, but writing to it does not
+ * change any behavior of the RNG.
+ *
+- * - urandom_min_reseed_secs - fixed to the meaningless value "60".
++ * - urandom_min_reseed_secs - fixed to the value CRNG_RESEED_INTERVAL.
+ * It is writable to avoid breaking old userspaces, but writing
+ * to it does not change any behavior of the RNG.
+ *
+@@ -1622,7 +1622,7 @@ const struct file_operations urandom_fop
+
+ #include <linux/sysctl.h>
+
+-static int sysctl_random_min_urandom_seed = 60;
++static int sysctl_random_min_urandom_seed = CRNG_RESEED_INTERVAL / HZ;
+ static int sysctl_random_write_wakeup_bits = POOL_MIN_BITS;
+ static int sysctl_poolsize = POOL_BITS;
+ static u8 sysctl_bootid[UUID_SIZE];
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 11 Feb 2022 12:53:34 +0100
+Subject: random: group entropy collection functions
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 92c653cf14400946f376a29b828d6af7e01f38dd upstream.
+
+This pulls all of the entropy collection-focused functions into the
+fourth labeled section.
+
+No functional changes.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 370 +++++++++++++++++++++++++++-----------------------
+ 1 file changed, 206 insertions(+), 164 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1034,60 +1034,112 @@ static bool drain_entropy(void *buf, siz
+ return true;
+ }
+
+-struct fast_pool {
+- union {
+- u32 pool32[4];
+- u64 pool64[2];
+- };
+- unsigned long last;
+- u16 reg_idx;
+- u8 count;
+-};
++
++/**********************************************************************
++ *
++ * Entropy collection routines.
++ *
++ * The following exported functions are used for pushing entropy into
++ * the above entropy accumulation routines:
++ *
++ * void add_device_randomness(const void *buf, size_t size);
++ * void add_input_randomness(unsigned int type, unsigned int code,
++ * unsigned int value);
++ * void add_disk_randomness(struct gendisk *disk);
++ * void add_hwgenerator_randomness(const void *buffer, size_t count,
++ * size_t entropy);
++ * void add_bootloader_randomness(const void *buf, size_t size);
++ * void add_interrupt_randomness(int irq);
++ *
++ * add_device_randomness() adds data to the input pool that
++ * is likely to differ between two devices (or possibly even per boot).
++ * This would be things like MAC addresses or serial numbers, or the
++ * read-out of the RTC. This does *not* credit any actual entropy to
++ * the pool, but it initializes the pool to different values for devices
++ * that might otherwise be identical and have very little entropy
++ * available to them (particularly common in the embedded world).
++ *
++ * add_input_randomness() uses the input layer interrupt timing, as well
++ * as the event type information from the hardware.
++ *
++ * add_disk_randomness() uses what amounts to the seek time of block
++ * layer request events, on a per-disk_devt basis, as input to the
++ * entropy pool. Note that high-speed solid state drives with very low
++ * seek times do not make for good sources of entropy, as their seek
++ * times are usually fairly consistent.
++ *
++ * The above two routines try to estimate how many bits of entropy
++ * to credit. They do this by keeping track of the first and second
++ * order deltas of the event timings.
++ *
++ * add_hwgenerator_randomness() is for true hardware RNGs, and will credit
++ * entropy as specified by the caller. If the entropy pool is full it will
++ * block until more entropy is needed.
++ *
++ * add_bootloader_randomness() is the same as add_hwgenerator_randomness() or
++ * add_device_randomness(), depending on whether or not the configuration
++ * option CONFIG_RANDOM_TRUST_BOOTLOADER is set.
++ *
++ * add_interrupt_randomness() uses the interrupt timing as random
++ * inputs to the entropy pool. Using the cycle counters and the irq source
++ * as inputs, it feeds the input pool roughly once a second or after 64
++ * interrupts, crediting 1 bit of entropy for whichever comes first.
++ *
++ **********************************************************************/
++
++static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
++static int __init parse_trust_cpu(char *arg)
++{
++ return kstrtobool(arg, &trust_cpu);
++}
++early_param("random.trust_cpu", parse_trust_cpu);
+
+ /*
+- * This is a fast mixing routine used by the interrupt randomness
+- * collector. It's hardcoded for an 128 bit pool and assumes that any
+- * locks that might be needed are taken by the caller.
++ * The first collection of entropy occurs at system boot while interrupts
++ * are still turned off. Here we push in RDSEED, a timestamp, and utsname().
++ * Depending on the above configuration knob, RDSEED may be considered
++ * sufficient for initialization. Note that much earlier setup may already
++ * have pushed entropy into the input pool by the time we get here.
+ */
+-static void fast_mix(u32 pool[4])
++int __init rand_initialize(void)
+ {
+- u32 a = pool[0], b = pool[1];
+- u32 c = pool[2], d = pool[3];
+-
+- a += b; c += d;
+- b = rol32(b, 6); d = rol32(d, 27);
+- d ^= a; b ^= c;
++ size_t i;
++ ktime_t now = ktime_get_real();
++ bool arch_init = true;
++ unsigned long rv;
+
+- a += b; c += d;
+- b = rol32(b, 16); d = rol32(d, 14);
+- d ^= a; b ^= c;
++ for (i = 0; i < BLAKE2S_BLOCK_SIZE; i += sizeof(rv)) {
++ if (!arch_get_random_seed_long_early(&rv) &&
++ !arch_get_random_long_early(&rv)) {
++ rv = random_get_entropy();
++ arch_init = false;
++ }
++ mix_pool_bytes(&rv, sizeof(rv));
++ }
++ mix_pool_bytes(&now, sizeof(now));
++ mix_pool_bytes(utsname(), sizeof(*(utsname())));
+
+- a += b; c += d;
+- b = rol32(b, 6); d = rol32(d, 27);
+- d ^= a; b ^= c;
++ extract_entropy(base_crng.key, sizeof(base_crng.key));
++ ++base_crng.generation;
+
+- a += b; c += d;
+- b = rol32(b, 16); d = rol32(d, 14);
+- d ^= a; b ^= c;
++ if (arch_init && trust_cpu && crng_init < 2) {
++ crng_init = 2;
++ pr_notice("crng init done (trusting CPU's manufacturer)\n");
++ }
+
+- pool[0] = a; pool[1] = b;
+- pool[2] = c; pool[3] = d;
++ if (ratelimit_disable) {
++ urandom_warning.interval = 0;
++ unseeded_warning.interval = 0;
++ }
++ return 0;
+ }
+
+-/*********************************************************************
+- *
+- * Entropy input management
+- *
+- *********************************************************************/
+-
+ /* There is one of these per entropy source */
+ struct timer_rand_state {
+ cycles_t last_time;
+ long last_delta, last_delta2;
+ };
+
+-#define INIT_TIMER_RAND_STATE { INITIAL_JIFFIES, };
+-
+ /*
+ * Add device- or boot-specific data to the input pool to help
+ * initialize it.
+@@ -1111,8 +1163,6 @@ void add_device_randomness(const void *b
+ }
+ EXPORT_SYMBOL(add_device_randomness);
+
+-static struct timer_rand_state input_timer_state = INIT_TIMER_RAND_STATE;
+-
+ /*
+ * This function adds entropy to the entropy "pool" by using timing
+ * delays. It uses the timer_rand_state structure to make an estimate
+@@ -1174,8 +1224,9 @@ void add_input_randomness(unsigned int t
+ unsigned int value)
+ {
+ static unsigned char last_value;
++ static struct timer_rand_state input_timer_state = { INITIAL_JIFFIES };
+
+- /* ignore autorepeat and the like */
++ /* Ignore autorepeat and the like. */
+ if (value == last_value)
+ return;
+
+@@ -1185,6 +1236,119 @@ void add_input_randomness(unsigned int t
+ }
+ EXPORT_SYMBOL_GPL(add_input_randomness);
+
++#ifdef CONFIG_BLOCK
++void add_disk_randomness(struct gendisk *disk)
++{
++ if (!disk || !disk->random)
++ return;
++ /* First major is 1, so we get >= 0x200 here. */
++ add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
++}
++EXPORT_SYMBOL_GPL(add_disk_randomness);
++
++void rand_initialize_disk(struct gendisk *disk)
++{
++ struct timer_rand_state *state;
++
++ /*
++ * If kzalloc returns null, we just won't use that entropy
++ * source.
++ */
++ state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL);
++ if (state) {
++ state->last_time = INITIAL_JIFFIES;
++ disk->random = state;
++ }
++}
++#endif
++
++/*
++ * Interface for in-kernel drivers of true hardware RNGs.
++ * Those devices may produce endless random bits and will be throttled
++ * when our pool is full.
++ */
++void add_hwgenerator_randomness(const void *buffer, size_t count,
++ size_t entropy)
++{
++ if (unlikely(crng_init == 0)) {
++ size_t ret = crng_fast_load(buffer, count);
++ mix_pool_bytes(buffer, ret);
++ count -= ret;
++ buffer += ret;
++ if (!count || crng_init == 0)
++ return;
++ }
++
++ /*
++ * Throttle writing if we're above the trickle threshold.
++ * We'll be woken up again once below POOL_MIN_BITS, when
++ * the calling thread is about to terminate, or once
++ * CRNG_RESEED_INTERVAL has elapsed.
++ */
++ wait_event_interruptible_timeout(random_write_wait,
++ !system_wq || kthread_should_stop() ||
++ input_pool.entropy_count < POOL_MIN_BITS,
++ CRNG_RESEED_INTERVAL);
++ mix_pool_bytes(buffer, count);
++ credit_entropy_bits(entropy);
++}
++EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
++
++/*
++ * Handle random seed passed by bootloader.
++ * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise
++ * it would be regarded as device data.
++ * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER.
++ */
++void add_bootloader_randomness(const void *buf, size_t size)
++{
++ if (IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER))
++ add_hwgenerator_randomness(buf, size, size * 8);
++ else
++ add_device_randomness(buf, size);
++}
++EXPORT_SYMBOL_GPL(add_bootloader_randomness);
++
++struct fast_pool {
++ union {
++ u32 pool32[4];
++ u64 pool64[2];
++ };
++ unsigned long last;
++ u16 reg_idx;
++ u8 count;
++};
++
++/*
++ * This is a fast mixing routine used by the interrupt randomness
++ * collector. It's hardcoded for an 128 bit pool and assumes that any
++ * locks that might be needed are taken by the caller.
++ */
++static void fast_mix(u32 pool[4])
++{
++ u32 a = pool[0], b = pool[1];
++ u32 c = pool[2], d = pool[3];
++
++ a += b; c += d;
++ b = rol32(b, 6); d = rol32(d, 27);
++ d ^= a; b ^= c;
++
++ a += b; c += d;
++ b = rol32(b, 16); d = rol32(d, 14);
++ d ^= a; b ^= c;
++
++ a += b; c += d;
++ b = rol32(b, 6); d = rol32(d, 27);
++ d ^= a; b ^= c;
++
++ a += b; c += d;
++ b = rol32(b, 16); d = rol32(d, 14);
++ d ^= a; b ^= c;
++
++ pool[0] = a; pool[1] = b;
++ pool[2] = c; pool[3] = d;
++}
++
+ static DEFINE_PER_CPU(struct fast_pool, irq_randomness);
+
+ static u32 get_reg(struct fast_pool *f, struct pt_regs *regs)
+@@ -1254,22 +1418,11 @@ void add_interrupt_randomness(int irq)
+
+ fast_pool->count = 0;
+
+- /* award one bit for the contents of the fast pool */
++ /* Award one bit for the contents of the fast pool. */
+ credit_entropy_bits(1);
+ }
+ EXPORT_SYMBOL_GPL(add_interrupt_randomness);
+
+-#ifdef CONFIG_BLOCK
+-void add_disk_randomness(struct gendisk *disk)
+-{
+- if (!disk || !disk->random)
+- return;
+- /* first major is 1, so we get >= 0x200 here */
+- add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
+-}
+-EXPORT_SYMBOL_GPL(add_disk_randomness);
+-#endif
+-
+ /*
+ * Each time the timer fires, we expect that we got an unpredictable
+ * jump in the cycle counter. Even if the timer is running on another
+@@ -1319,73 +1472,6 @@ static void try_to_generate_entropy(void
+ mix_pool_bytes(&stack.now, sizeof(stack.now));
+ }
+
+-static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
+-static int __init parse_trust_cpu(char *arg)
+-{
+- return kstrtobool(arg, &trust_cpu);
+-}
+-early_param("random.trust_cpu", parse_trust_cpu);
+-
+-/*
+- * Note that setup_arch() may call add_device_randomness()
+- * long before we get here. This allows seeding of the pools
+- * with some platform dependent data very early in the boot
+- * process. But it limits our options here. We must use
+- * statically allocated structures that already have all
+- * initializations complete at compile time. We should also
+- * take care not to overwrite the precious per platform data
+- * we were given.
+- */
+-int __init rand_initialize(void)
+-{
+- size_t i;
+- ktime_t now = ktime_get_real();
+- bool arch_init = true;
+- unsigned long rv;
+-
+- for (i = 0; i < BLAKE2S_BLOCK_SIZE; i += sizeof(rv)) {
+- if (!arch_get_random_seed_long_early(&rv) &&
+- !arch_get_random_long_early(&rv)) {
+- rv = random_get_entropy();
+- arch_init = false;
+- }
+- mix_pool_bytes(&rv, sizeof(rv));
+- }
+- mix_pool_bytes(&now, sizeof(now));
+- mix_pool_bytes(utsname(), sizeof(*(utsname())));
+-
+- extract_entropy(base_crng.key, sizeof(base_crng.key));
+- ++base_crng.generation;
+-
+- if (arch_init && trust_cpu && crng_init < 2) {
+- crng_init = 2;
+- pr_notice("crng init done (trusting CPU's manufacturer)\n");
+- }
+-
+- if (ratelimit_disable) {
+- urandom_warning.interval = 0;
+- unseeded_warning.interval = 0;
+- }
+- return 0;
+-}
+-
+-#ifdef CONFIG_BLOCK
+-void rand_initialize_disk(struct gendisk *disk)
+-{
+- struct timer_rand_state *state;
+-
+- /*
+- * If kzalloc returns null, we just won't use that entropy
+- * source.
+- */
+- state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL);
+- if (state) {
+- state->last_time = INITIAL_JIFFIES;
+- disk->random = state;
+- }
+-}
+-#endif
+-
+ static ssize_t urandom_read(struct file *file, char __user *buf, size_t nbytes,
+ loff_t *ppos)
+ {
+@@ -1668,47 +1754,3 @@ struct ctl_table random_table[] = {
+ { }
+ };
+ #endif /* CONFIG_SYSCTL */
+-
+-/* Interface for in-kernel drivers of true hardware RNGs.
+- * Those devices may produce endless random bits and will be throttled
+- * when our pool is full.
+- */
+-void add_hwgenerator_randomness(const void *buffer, size_t count,
+- size_t entropy)
+-{
+- if (unlikely(crng_init == 0)) {
+- size_t ret = crng_fast_load(buffer, count);
+- mix_pool_bytes(buffer, ret);
+- count -= ret;
+- buffer += ret;
+- if (!count || crng_init == 0)
+- return;
+- }
+-
+- /* Throttle writing if we're above the trickle threshold.
+- * We'll be woken up again once below POOL_MIN_BITS, when
+- * the calling thread is about to terminate, or once
+- * CRNG_RESEED_INTERVAL has elapsed.
+- */
+- wait_event_interruptible_timeout(random_write_wait,
+- !system_wq || kthread_should_stop() ||
+- input_pool.entropy_count < POOL_MIN_BITS,
+- CRNG_RESEED_INTERVAL);
+- mix_pool_bytes(buffer, count);
+- credit_entropy_bits(entropy);
+-}
+-EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
+-
+-/* Handle random seed passed by bootloader.
+- * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise
+- * it would be regarded as device data.
+- * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER.
+- */
+-void add_bootloader_randomness(const void *buf, size_t size)
+-{
+- if (IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER))
+- add_hwgenerator_randomness(buf, size, size * 8);
+- else
+- add_device_randomness(buf, size);
+-}
+-EXPORT_SYMBOL_GPL(add_bootloader_randomness);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 11 Feb 2022 12:53:34 +0100
+Subject: random: group entropy extraction functions
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit a5ed7cb1a7732ef11959332d507889fbc39ebbb4 upstream.
+
+This pulls all of the entropy extraction-focused functions into the
+third labeled section.
+
+No functional changes.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 216 +++++++++++++++++++++++++-------------------------
+ 1 file changed, 109 insertions(+), 107 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -890,23 +890,36 @@ size_t __must_check get_random_bytes_arc
+ }
+ EXPORT_SYMBOL(get_random_bytes_arch);
+
++
++/**********************************************************************
++ *
++ * Entropy accumulation and extraction routines.
++ *
++ * Callers may add entropy via:
++ *
++ * static void mix_pool_bytes(const void *in, size_t nbytes)
++ *
++ * After which, if added entropy should be credited:
++ *
++ * static void credit_entropy_bits(size_t nbits)
++ *
++ * Finally, extract entropy via these two, with the latter one
++ * setting the entropy count to zero and extracting only if there
++ * is POOL_MIN_BITS entropy credited prior:
++ *
++ * static void extract_entropy(void *buf, size_t nbytes)
++ * static bool drain_entropy(void *buf, size_t nbytes)
++ *
++ **********************************************************************/
++
+ enum {
+ POOL_BITS = BLAKE2S_HASH_SIZE * 8,
+ POOL_MIN_BITS = POOL_BITS /* No point in settling for less. */
+ };
+
+-/*
+- * Static global variables
+- */
++/* For notifying userspace should write into /dev/random. */
+ static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
+
+-/**********************************************************************
+- *
+- * OS independent entropy store. Here are the functions which handle
+- * storing entropy in an entropy pool.
+- *
+- **********************************************************************/
+-
+ static struct {
+ struct blake2s_state hash;
+ spinlock_t lock;
+@@ -919,28 +932,106 @@ static struct {
+ .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
+ };
+
+-static void extract_entropy(void *buf, size_t nbytes);
+-static bool drain_entropy(void *buf, size_t nbytes);
+-
+-static void crng_reseed(void);
++static void _mix_pool_bytes(const void *in, size_t nbytes)
++{
++ blake2s_update(&input_pool.hash, in, nbytes);
++}
+
+ /*
+ * This function adds bytes into the entropy "pool". It does not
+ * update the entropy estimate. The caller should call
+ * credit_entropy_bits if this is appropriate.
+ */
+-static void _mix_pool_bytes(const void *in, size_t nbytes)
++static void mix_pool_bytes(const void *in, size_t nbytes)
+ {
+- blake2s_update(&input_pool.hash, in, nbytes);
++ unsigned long flags;
++
++ spin_lock_irqsave(&input_pool.lock, flags);
++ _mix_pool_bytes(in, nbytes);
++ spin_unlock_irqrestore(&input_pool.lock, flags);
+ }
+
+-static void mix_pool_bytes(const void *in, size_t nbytes)
++static void credit_entropy_bits(size_t nbits)
++{
++ unsigned int entropy_count, orig, add;
++
++ if (!nbits)
++ return;
++
++ add = min_t(size_t, nbits, POOL_BITS);
++
++ do {
++ orig = READ_ONCE(input_pool.entropy_count);
++ entropy_count = min_t(unsigned int, POOL_BITS, orig + add);
++ } while (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig);
++
++ if (crng_init < 2 && entropy_count >= POOL_MIN_BITS)
++ crng_reseed();
++}
++
++/*
++ * This is an HKDF-like construction for using the hashed collected entropy
++ * as a PRF key, that's then expanded block-by-block.
++ */
++static void extract_entropy(void *buf, size_t nbytes)
+ {
+ unsigned long flags;
++ u8 seed[BLAKE2S_HASH_SIZE], next_key[BLAKE2S_HASH_SIZE];
++ struct {
++ unsigned long rdseed[32 / sizeof(long)];
++ size_t counter;
++ } block;
++ size_t i;
++
++ for (i = 0; i < ARRAY_SIZE(block.rdseed); ++i) {
++ if (!arch_get_random_seed_long(&block.rdseed[i]) &&
++ !arch_get_random_long(&block.rdseed[i]))
++ block.rdseed[i] = random_get_entropy();
++ }
+
+ spin_lock_irqsave(&input_pool.lock, flags);
+- _mix_pool_bytes(in, nbytes);
++
++ /* seed = HASHPRF(last_key, entropy_input) */
++ blake2s_final(&input_pool.hash, seed);
++
++ /* next_key = HASHPRF(seed, RDSEED || 0) */
++ block.counter = 0;
++ blake2s(next_key, (u8 *)&block, seed, sizeof(next_key), sizeof(block), sizeof(seed));
++ blake2s_init_key(&input_pool.hash, BLAKE2S_HASH_SIZE, next_key, sizeof(next_key));
++
+ spin_unlock_irqrestore(&input_pool.lock, flags);
++ memzero_explicit(next_key, sizeof(next_key));
++
++ while (nbytes) {
++ i = min_t(size_t, nbytes, BLAKE2S_HASH_SIZE);
++ /* output = HASHPRF(seed, RDSEED || ++counter) */
++ ++block.counter;
++ blake2s(buf, (u8 *)&block, seed, i, sizeof(block), sizeof(seed));
++ nbytes -= i;
++ buf += i;
++ }
++
++ memzero_explicit(seed, sizeof(seed));
++ memzero_explicit(&block, sizeof(block));
++}
++
++/*
++ * First we make sure we have POOL_MIN_BITS of entropy in the pool, and then we
++ * set the entropy count to zero (but don't actually touch any data). Only then
++ * can we extract a new key with extract_entropy().
++ */
++static bool drain_entropy(void *buf, size_t nbytes)
++{
++ unsigned int entropy_count;
++ do {
++ entropy_count = READ_ONCE(input_pool.entropy_count);
++ if (entropy_count < POOL_MIN_BITS)
++ return false;
++ } while (cmpxchg(&input_pool.entropy_count, entropy_count, 0) != entropy_count);
++ extract_entropy(buf, nbytes);
++ wake_up_interruptible(&random_write_wait);
++ kill_fasync(&fasync, SIGIO, POLL_OUT);
++ return true;
+ }
+
+ struct fast_pool {
+@@ -983,24 +1074,6 @@ static void fast_mix(u32 pool[4])
+ pool[2] = c; pool[3] = d;
+ }
+
+-static void credit_entropy_bits(size_t nbits)
+-{
+- unsigned int entropy_count, orig, add;
+-
+- if (!nbits)
+- return;
+-
+- add = min_t(size_t, nbits, POOL_BITS);
+-
+- do {
+- orig = READ_ONCE(input_pool.entropy_count);
+- entropy_count = min_t(unsigned int, POOL_BITS, orig + add);
+- } while (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig);
+-
+- if (crng_init < 2 && entropy_count >= POOL_MIN_BITS)
+- crng_reseed();
+-}
+-
+ /*********************************************************************
+ *
+ * Entropy input management
+@@ -1197,77 +1270,6 @@ void add_disk_randomness(struct gendisk
+ EXPORT_SYMBOL_GPL(add_disk_randomness);
+ #endif
+
+-/*********************************************************************
+- *
+- * Entropy extraction routines
+- *
+- *********************************************************************/
+-
+-/*
+- * This is an HKDF-like construction for using the hashed collected entropy
+- * as a PRF key, that's then expanded block-by-block.
+- */
+-static void extract_entropy(void *buf, size_t nbytes)
+-{
+- unsigned long flags;
+- u8 seed[BLAKE2S_HASH_SIZE], next_key[BLAKE2S_HASH_SIZE];
+- struct {
+- unsigned long rdseed[32 / sizeof(long)];
+- size_t counter;
+- } block;
+- size_t i;
+-
+- for (i = 0; i < ARRAY_SIZE(block.rdseed); ++i) {
+- if (!arch_get_random_seed_long(&block.rdseed[i]) &&
+- !arch_get_random_long(&block.rdseed[i]))
+- block.rdseed[i] = random_get_entropy();
+- }
+-
+- spin_lock_irqsave(&input_pool.lock, flags);
+-
+- /* seed = HASHPRF(last_key, entropy_input) */
+- blake2s_final(&input_pool.hash, seed);
+-
+- /* next_key = HASHPRF(seed, RDSEED || 0) */
+- block.counter = 0;
+- blake2s(next_key, (u8 *)&block, seed, sizeof(next_key), sizeof(block), sizeof(seed));
+- blake2s_init_key(&input_pool.hash, BLAKE2S_HASH_SIZE, next_key, sizeof(next_key));
+-
+- spin_unlock_irqrestore(&input_pool.lock, flags);
+- memzero_explicit(next_key, sizeof(next_key));
+-
+- while (nbytes) {
+- i = min_t(size_t, nbytes, BLAKE2S_HASH_SIZE);
+- /* output = HASHPRF(seed, RDSEED || ++counter) */
+- ++block.counter;
+- blake2s(buf, (u8 *)&block, seed, i, sizeof(block), sizeof(seed));
+- nbytes -= i;
+- buf += i;
+- }
+-
+- memzero_explicit(seed, sizeof(seed));
+- memzero_explicit(&block, sizeof(block));
+-}
+-
+-/*
+- * First we make sure we have POOL_MIN_BITS of entropy in the pool, and then we
+- * set the entropy count to zero (but don't actually touch any data). Only then
+- * can we extract a new key with extract_entropy().
+- */
+-static bool drain_entropy(void *buf, size_t nbytes)
+-{
+- unsigned int entropy_count;
+- do {
+- entropy_count = READ_ONCE(input_pool.entropy_count);
+- if (entropy_count < POOL_MIN_BITS)
+- return false;
+- } while (cmpxchg(&input_pool.entropy_count, entropy_count, 0) != entropy_count);
+- extract_entropy(buf, nbytes);
+- wake_up_interruptible(&random_write_wait);
+- kill_fasync(&fasync, SIGIO, POLL_OUT);
+- return true;
+-}
+-
+ /*
+ * Each time the timer fires, we expect that we got an unpredictable
+ * jump in the cycle counter. Even if the timer is running on another
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 11 Feb 2022 12:53:34 +0100
+Subject: random: group initialization wait functions
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 5f1bb112006b104b3e2a1e1b39bbb9b2617581e6 upstream.
+
+This pulls all of the readiness waiting-focused functions into the first
+labeled section.
+
+No functional changes.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 1015 +++++++++++++++++++++++++-------------------------
+ 1 file changed, 527 insertions(+), 488 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -201,126 +201,144 @@
+ #include <asm/irq_regs.h>
+ #include <asm/io.h>
+
+-enum {
+- POOL_BITS = BLAKE2S_HASH_SIZE * 8,
+- POOL_MIN_BITS = POOL_BITS /* No point in settling for less. */
+-};
+-
+-/*
+- * Static global variables
+- */
+-static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
+-static struct fasync_struct *fasync;
+-
+-static DEFINE_SPINLOCK(random_ready_list_lock);
+-static LIST_HEAD(random_ready_list);
++/*********************************************************************
++ *
++ * Initialization and readiness waiting.
++ *
++ * Much of the RNG infrastructure is devoted to various dependencies
++ * being able to wait until the RNG has collected enough entropy and
++ * is ready for safe consumption.
++ *
++ *********************************************************************/
+
+ /*
+ * crng_init = 0 --> Uninitialized
+ * 1 --> Initialized
+ * 2 --> Initialized from input_pool
+ *
+- * crng_init is protected by primary_crng->lock, and only increases
++ * crng_init is protected by base_crng->lock, and only increases
+ * its value (from 0->1->2).
+ */
+ static int crng_init = 0;
+ #define crng_ready() (likely(crng_init > 1))
+-static int crng_init_cnt = 0;
+-static void process_random_ready_list(void);
+-static void _get_random_bytes(void *buf, size_t nbytes);
++/* Various types of waiters for crng_init->2 transition. */
++static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
++static struct fasync_struct *fasync;
++static DEFINE_SPINLOCK(random_ready_list_lock);
++static LIST_HEAD(random_ready_list);
+
++/* Control how we warn userspace. */
+ static struct ratelimit_state unseeded_warning =
+ RATELIMIT_STATE_INIT("warn_unseeded_randomness", HZ, 3);
+ static struct ratelimit_state urandom_warning =
+ RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3);
+-
+ static int ratelimit_disable __read_mostly;
+-
+ module_param_named(ratelimit_disable, ratelimit_disable, int, 0644);
+ MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression");
+
+-/**********************************************************************
+- *
+- * OS independent entropy store. Here are the functions which handle
+- * storing entropy in an entropy pool.
++/*
++ * Returns whether or not the input pool has been seeded and thus guaranteed
++ * to supply cryptographically secure random numbers. This applies to: the
++ * /dev/urandom device, the get_random_bytes function, and the get_random_{u32,
++ * ,u64,int,long} family of functions.
+ *
+- **********************************************************************/
+-
+-static struct {
+- struct blake2s_state hash;
+- spinlock_t lock;
+- unsigned int entropy_count;
+-} input_pool = {
+- .hash.h = { BLAKE2S_IV0 ^ (0x01010000 | BLAKE2S_HASH_SIZE),
+- BLAKE2S_IV1, BLAKE2S_IV2, BLAKE2S_IV3, BLAKE2S_IV4,
+- BLAKE2S_IV5, BLAKE2S_IV6, BLAKE2S_IV7 },
+- .hash.outlen = BLAKE2S_HASH_SIZE,
+- .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
+-};
+-
+-static void extract_entropy(void *buf, size_t nbytes);
+-static bool drain_entropy(void *buf, size_t nbytes);
++ * Returns: true if the input pool has been seeded.
++ * false if the input pool has not been seeded.
++ */
++bool rng_is_initialized(void)
++{
++ return crng_ready();
++}
++EXPORT_SYMBOL(rng_is_initialized);
+
+-static void crng_reseed(void);
++/* Used by wait_for_random_bytes(), and considered an entropy collector, below. */
++static void try_to_generate_entropy(void);
+
+ /*
+- * This function adds bytes into the entropy "pool". It does not
+- * update the entropy estimate. The caller should call
+- * credit_entropy_bits if this is appropriate.
++ * Wait for the input pool to be seeded and thus guaranteed to supply
++ * cryptographically secure random numbers. This applies to: the /dev/urandom
++ * device, the get_random_bytes function, and the get_random_{u32,u64,int,long}
++ * family of functions. Using any of these functions without first calling
++ * this function forfeits the guarantee of security.
++ *
++ * Returns: 0 if the input pool has been seeded.
++ * -ERESTARTSYS if the function was interrupted by a signal.
+ */
+-static void _mix_pool_bytes(const void *in, size_t nbytes)
++int wait_for_random_bytes(void)
+ {
+- blake2s_update(&input_pool.hash, in, nbytes);
+-}
++ if (likely(crng_ready()))
++ return 0;
+
+-static void mix_pool_bytes(const void *in, size_t nbytes)
+-{
+- unsigned long flags;
++ do {
++ int ret;
++ ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ);
++ if (ret)
++ return ret > 0 ? 0 : ret;
+
+- spin_lock_irqsave(&input_pool.lock, flags);
+- _mix_pool_bytes(in, nbytes);
+- spin_unlock_irqrestore(&input_pool.lock, flags);
+-}
++ try_to_generate_entropy();
++ } while (!crng_ready());
+
+-struct fast_pool {
+- union {
+- u32 pool32[4];
+- u64 pool64[2];
+- };
+- unsigned long last;
+- u16 reg_idx;
+- u8 count;
+-};
++ return 0;
++}
++EXPORT_SYMBOL(wait_for_random_bytes);
+
+ /*
+- * This is a fast mixing routine used by the interrupt randomness
+- * collector. It's hardcoded for an 128 bit pool and assumes that any
+- * locks that might be needed are taken by the caller.
++ * Add a callback function that will be invoked when the input
++ * pool is initialised.
++ *
++ * returns: 0 if callback is successfully added
++ * -EALREADY if pool is already initialised (callback not called)
++ * -ENOENT if module for callback is not alive
+ */
+-static void fast_mix(u32 pool[4])
++int add_random_ready_callback(struct random_ready_callback *rdy)
+ {
+- u32 a = pool[0], b = pool[1];
+- u32 c = pool[2], d = pool[3];
++ struct module *owner;
++ unsigned long flags;
++ int err = -EALREADY;
+
+- a += b; c += d;
+- b = rol32(b, 6); d = rol32(d, 27);
+- d ^= a; b ^= c;
++ if (crng_ready())
++ return err;
+
+- a += b; c += d;
+- b = rol32(b, 16); d = rol32(d, 14);
+- d ^= a; b ^= c;
++ owner = rdy->owner;
++ if (!try_module_get(owner))
++ return -ENOENT;
+
+- a += b; c += d;
+- b = rol32(b, 6); d = rol32(d, 27);
+- d ^= a; b ^= c;
++ spin_lock_irqsave(&random_ready_list_lock, flags);
++ if (crng_ready())
++ goto out;
+
+- a += b; c += d;
+- b = rol32(b, 16); d = rol32(d, 14);
+- d ^= a; b ^= c;
++ owner = NULL;
+
+- pool[0] = a; pool[1] = b;
+- pool[2] = c; pool[3] = d;
++ list_add(&rdy->list, &random_ready_list);
++ err = 0;
++
++out:
++ spin_unlock_irqrestore(&random_ready_list_lock, flags);
++
++ module_put(owner);
++
++ return err;
++}
++EXPORT_SYMBOL(add_random_ready_callback);
++
++/*
++ * Delete a previously registered readiness callback function.
++ */
++void del_random_ready_callback(struct random_ready_callback *rdy)
++{
++ unsigned long flags;
++ struct module *owner = NULL;
++
++ spin_lock_irqsave(&random_ready_list_lock, flags);
++ if (!list_empty(&rdy->list)) {
++ list_del_init(&rdy->list);
++ owner = rdy->owner;
++ }
++ spin_unlock_irqrestore(&random_ready_list_lock, flags);
++
++ module_put(owner);
+ }
++EXPORT_SYMBOL(del_random_ready_callback);
+
+ static void process_random_ready_list(void)
+ {
+@@ -338,27 +356,51 @@ static void process_random_ready_list(vo
+ spin_unlock_irqrestore(&random_ready_list_lock, flags);
+ }
+
+-static void credit_entropy_bits(size_t nbits)
++#define warn_unseeded_randomness(previous) \
++ _warn_unseeded_randomness(__func__, (void *)_RET_IP_, (previous))
++
++static void _warn_unseeded_randomness(const char *func_name, void *caller, void **previous)
+ {
+- unsigned int entropy_count, orig, add;
++#ifdef CONFIG_WARN_ALL_UNSEEDED_RANDOM
++ const bool print_once = false;
++#else
++ static bool print_once __read_mostly;
++#endif
+
+- if (!nbits)
++ if (print_once || crng_ready() ||
++ (previous && (caller == READ_ONCE(*previous))))
+ return;
+-
+- add = min_t(size_t, nbits, POOL_BITS);
+-
+- do {
+- orig = READ_ONCE(input_pool.entropy_count);
+- entropy_count = min_t(unsigned int, POOL_BITS, orig + add);
+- } while (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig);
+-
+- if (crng_init < 2 && entropy_count >= POOL_MIN_BITS)
+- crng_reseed();
++ WRITE_ONCE(*previous, caller);
++#ifndef CONFIG_WARN_ALL_UNSEEDED_RANDOM
++ print_once = true;
++#endif
++ if (__ratelimit(&unseeded_warning))
++ printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n",
++ func_name, caller, crng_init);
+ }
+
++
+ /*********************************************************************
+ *
+- * CRNG using CHACHA20
++ * Fast key erasure RNG, the "crng".
++ *
++ * These functions expand entropy from the entropy extractor into
++ * long streams for external consumption using the "fast key erasure"
++ * RNG described at <https://blog.cr.yp.to/20170723-random.html>.
++ *
++ * There are a few exported interfaces for use by other drivers:
++ *
++ * void get_random_bytes(void *buf, size_t nbytes)
++ * u32 get_random_u32()
++ * u64 get_random_u64()
++ * unsigned int get_random_int()
++ * unsigned long get_random_long()
++ *
++ * These interfaces will return the requested number of random bytes
++ * into the given buffer or as a return value. This is equivalent to
++ * a read from /dev/urandom. The integer family of functions may be
++ * higher performance for one-off random integers, because they do a
++ * bit of buffering.
+ *
+ *********************************************************************/
+
+@@ -385,72 +427,14 @@ static DEFINE_PER_CPU(struct crng, crngs
+ .generation = ULONG_MAX
+ };
+
+-static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
++/* Used by crng_reseed() to extract a new seed from the input pool. */
++static bool drain_entropy(void *buf, size_t nbytes);
+
+ /*
+- * crng_fast_load() can be called by code in the interrupt service
+- * path. So we can't afford to dilly-dally. Returns the number of
+- * bytes processed from cp.
++ * This extracts a new crng key from the input pool, but only if there is a
++ * sufficient amount of entropy available, in order to mitigate bruteforcing
++ * of newly added bits.
+ */
+-static size_t crng_fast_load(const void *cp, size_t len)
+-{
+- unsigned long flags;
+- const u8 *src = (const u8 *)cp;
+- size_t ret = 0;
+-
+- if (!spin_trylock_irqsave(&base_crng.lock, flags))
+- return 0;
+- if (crng_init != 0) {
+- spin_unlock_irqrestore(&base_crng.lock, flags);
+- return 0;
+- }
+- while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) {
+- base_crng.key[crng_init_cnt % sizeof(base_crng.key)] ^= *src;
+- src++; crng_init_cnt++; len--; ret++;
+- }
+- if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
+- ++base_crng.generation;
+- crng_init = 1;
+- }
+- spin_unlock_irqrestore(&base_crng.lock, flags);
+- if (crng_init == 1)
+- pr_notice("fast init done\n");
+- return ret;
+-}
+-
+-/*
+- * crng_slow_load() is called by add_device_randomness, which has two
+- * attributes. (1) We can't trust the buffer passed to it is
+- * guaranteed to be unpredictable (so it might not have any entropy at
+- * all), and (2) it doesn't have the performance constraints of
+- * crng_fast_load().
+- *
+- * So, we simply hash the contents in with the current key. Finally,
+- * we do *not* advance crng_init_cnt since buffer we may get may be
+- * something like a fixed DMI table (for example), which might very
+- * well be unique to the machine, but is otherwise unvarying.
+- */
+-static void crng_slow_load(const void *cp, size_t len)
+-{
+- unsigned long flags;
+- struct blake2s_state hash;
+-
+- blake2s_init(&hash, sizeof(base_crng.key));
+-
+- if (!spin_trylock_irqsave(&base_crng.lock, flags))
+- return;
+- if (crng_init != 0) {
+- spin_unlock_irqrestore(&base_crng.lock, flags);
+- return;
+- }
+-
+- blake2s_update(&hash, base_crng.key, sizeof(base_crng.key));
+- blake2s_update(&hash, cp, len);
+- blake2s_final(&hash, base_crng.key);
+-
+- spin_unlock_irqrestore(&base_crng.lock, flags);
+-}
+-
+ static void crng_reseed(void)
+ {
+ unsigned long flags;
+@@ -500,13 +484,11 @@ static void crng_reseed(void)
+ }
+
+ /*
+- * The general form here is based on a "fast key erasure RNG" from
+- * <https://blog.cr.yp.to/20170723-random.html>. It generates a ChaCha
+- * block using the provided key, and then immediately overwites that
+- * key with half the block. It returns the resultant ChaCha state to the
+- * user, along with the second half of the block containing 32 bytes of
+- * random data that may be used; random_data_len may not be greater than
+- * 32.
++ * This generates a ChaCha block using the provided key, and then
++ * immediately overwites that key with half the block. It returns
++ * the resultant ChaCha state to the user, along with the second
++ * half of the block containing 32 bytes of random data that may
++ * be used; random_data_len may not be greater than 32.
+ */
+ static void crng_fast_key_erasure(u8 key[CHACHA20_KEY_SIZE],
+ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)],
+@@ -593,6 +575,126 @@ static void crng_make_state(u32 chacha_s
+ local_irq_restore(flags);
+ }
+
++/*
++ * This function is for crng_init == 0 only.
++ *
++ * crng_fast_load() can be called by code in the interrupt service
++ * path. So we can't afford to dilly-dally. Returns the number of
++ * bytes processed from cp.
++ */
++static size_t crng_fast_load(const void *cp, size_t len)
++{
++ static int crng_init_cnt = 0;
++ unsigned long flags;
++ const u8 *src = (const u8 *)cp;
++ size_t ret = 0;
++
++ if (!spin_trylock_irqsave(&base_crng.lock, flags))
++ return 0;
++ if (crng_init != 0) {
++ spin_unlock_irqrestore(&base_crng.lock, flags);
++ return 0;
++ }
++ while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) {
++ base_crng.key[crng_init_cnt % sizeof(base_crng.key)] ^= *src;
++ src++; crng_init_cnt++; len--; ret++;
++ }
++ if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
++ ++base_crng.generation;
++ crng_init = 1;
++ }
++ spin_unlock_irqrestore(&base_crng.lock, flags);
++ if (crng_init == 1)
++ pr_notice("fast init done\n");
++ return ret;
++}
++
++/*
++ * This function is for crng_init == 0 only.
++ *
++ * crng_slow_load() is called by add_device_randomness, which has two
++ * attributes. (1) We can't trust the buffer passed to it is
++ * guaranteed to be unpredictable (so it might not have any entropy at
++ * all), and (2) it doesn't have the performance constraints of
++ * crng_fast_load().
++ *
++ * So, we simply hash the contents in with the current key. Finally,
++ * we do *not* advance crng_init_cnt since buffer we may get may be
++ * something like a fixed DMI table (for example), which might very
++ * well be unique to the machine, but is otherwise unvarying.
++ */
++static void crng_slow_load(const void *cp, size_t len)
++{
++ unsigned long flags;
++ struct blake2s_state hash;
++
++ blake2s_init(&hash, sizeof(base_crng.key));
++
++ if (!spin_trylock_irqsave(&base_crng.lock, flags))
++ return;
++ if (crng_init != 0) {
++ spin_unlock_irqrestore(&base_crng.lock, flags);
++ return;
++ }
++
++ blake2s_update(&hash, base_crng.key, sizeof(base_crng.key));
++ blake2s_update(&hash, cp, len);
++ blake2s_final(&hash, base_crng.key);
++
++ spin_unlock_irqrestore(&base_crng.lock, flags);
++}
++
++static void _get_random_bytes(void *buf, size_t nbytes)
++{
++ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)];
++ u8 tmp[CHACHA20_BLOCK_SIZE];
++ size_t len;
++
++ if (!nbytes)
++ return;
++
++ len = min_t(size_t, 32, nbytes);
++ crng_make_state(chacha_state, buf, len);
++ nbytes -= len;
++ buf += len;
++
++ while (nbytes) {
++ if (nbytes < CHACHA20_BLOCK_SIZE) {
++ chacha20_block(chacha_state, tmp);
++ memcpy(buf, tmp, nbytes);
++ memzero_explicit(tmp, sizeof(tmp));
++ break;
++ }
++
++ chacha20_block(chacha_state, buf);
++ if (unlikely(chacha_state[12] == 0))
++ ++chacha_state[13];
++ nbytes -= CHACHA20_BLOCK_SIZE;
++ buf += CHACHA20_BLOCK_SIZE;
++ }
++
++ memzero_explicit(chacha_state, sizeof(chacha_state));
++}
++
++/*
++ * This function is the exported kernel interface. It returns some
++ * number of good random numbers, suitable for key generation, seeding
++ * TCP sequence numbers, etc. It does not rely on the hardware random
++ * number generator. For random bytes direct from the hardware RNG
++ * (when available), use get_random_bytes_arch(). In order to ensure
++ * that the randomness provided by this function is okay, the function
++ * wait_for_random_bytes() should be called and return 0 at least once
++ * at any point prior.
++ */
++void get_random_bytes(void *buf, size_t nbytes)
++{
++ static void *previous;
++
++ warn_unseeded_randomness(&previous);
++ _get_random_bytes(buf, nbytes);
++}
++EXPORT_SYMBOL(get_random_bytes);
++
+ static ssize_t get_random_bytes_user(void __user *buf, size_t nbytes)
+ {
+ bool large_request = nbytes > 256;
+@@ -640,6 +742,265 @@ static ssize_t get_random_bytes_user(voi
+ return ret;
+ }
+
++/*
++ * Batched entropy returns random integers. The quality of the random
++ * number is good as /dev/urandom. In order to ensure that the randomness
++ * provided by this function is okay, the function wait_for_random_bytes()
++ * should be called and return 0 at least once at any point prior.
++ */
++struct batched_entropy {
++ union {
++ /*
++ * We make this 1.5x a ChaCha block, so that we get the
++ * remaining 32 bytes from fast key erasure, plus one full
++ * block from the detached ChaCha state. We can increase
++ * the size of this later if needed so long as we keep the
++ * formula of (integer_blocks + 0.5) * CHACHA20_BLOCK_SIZE.
++ */
++ u64 entropy_u64[CHACHA20_BLOCK_SIZE * 3 / (2 * sizeof(u64))];
++ u32 entropy_u32[CHACHA20_BLOCK_SIZE * 3 / (2 * sizeof(u32))];
++ };
++ unsigned long generation;
++ unsigned int position;
++};
++
++
++static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = {
++ .position = UINT_MAX
++};
++
++u64 get_random_u64(void)
++{
++ u64 ret;
++ unsigned long flags;
++ struct batched_entropy *batch;
++ static void *previous;
++ unsigned long next_gen;
++
++ warn_unseeded_randomness(&previous);
++
++ local_irq_save(flags);
++ batch = raw_cpu_ptr(&batched_entropy_u64);
++
++ next_gen = READ_ONCE(base_crng.generation);
++ if (batch->position >= ARRAY_SIZE(batch->entropy_u64) ||
++ next_gen != batch->generation) {
++ _get_random_bytes(batch->entropy_u64, sizeof(batch->entropy_u64));
++ batch->position = 0;
++ batch->generation = next_gen;
++ }
++
++ ret = batch->entropy_u64[batch->position];
++ batch->entropy_u64[batch->position] = 0;
++ ++batch->position;
++ local_irq_restore(flags);
++ return ret;
++}
++EXPORT_SYMBOL(get_random_u64);
++
++static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = {
++ .position = UINT_MAX
++};
++
++u32 get_random_u32(void)
++{
++ u32 ret;
++ unsigned long flags;
++ struct batched_entropy *batch;
++ static void *previous;
++ unsigned long next_gen;
++
++ warn_unseeded_randomness(&previous);
++
++ local_irq_save(flags);
++ batch = raw_cpu_ptr(&batched_entropy_u32);
++
++ next_gen = READ_ONCE(base_crng.generation);
++ if (batch->position >= ARRAY_SIZE(batch->entropy_u32) ||
++ next_gen != batch->generation) {
++ _get_random_bytes(batch->entropy_u32, sizeof(batch->entropy_u32));
++ batch->position = 0;
++ batch->generation = next_gen;
++ }
++
++ ret = batch->entropy_u32[batch->position];
++ batch->entropy_u32[batch->position] = 0;
++ ++batch->position;
++ local_irq_restore(flags);
++ return ret;
++}
++EXPORT_SYMBOL(get_random_u32);
++
++/**
++ * randomize_page - Generate a random, page aligned address
++ * @start: The smallest acceptable address the caller will take.
++ * @range: The size of the area, starting at @start, within which the
++ * random address must fall.
++ *
++ * If @start + @range would overflow, @range is capped.
++ *
++ * NOTE: Historical use of randomize_range, which this replaces, presumed that
++ * @start was already page aligned. We now align it regardless.
++ *
++ * Return: A page aligned address within [start, start + range). On error,
++ * @start is returned.
++ */
++unsigned long randomize_page(unsigned long start, unsigned long range)
++{
++ if (!PAGE_ALIGNED(start)) {
++ range -= PAGE_ALIGN(start) - start;
++ start = PAGE_ALIGN(start);
++ }
++
++ if (start > ULONG_MAX - range)
++ range = ULONG_MAX - start;
++
++ range >>= PAGE_SHIFT;
++
++ if (range == 0)
++ return start;
++
++ return start + (get_random_long() % range << PAGE_SHIFT);
++}
++
++/*
++ * This function will use the architecture-specific hardware random
++ * number generator if it is available. It is not recommended for
++ * use. Use get_random_bytes() instead. It returns the number of
++ * bytes filled in.
++ */
++size_t __must_check get_random_bytes_arch(void *buf, size_t nbytes)
++{
++ size_t left = nbytes;
++ u8 *p = buf;
++
++ while (left) {
++ unsigned long v;
++ size_t chunk = min_t(size_t, left, sizeof(unsigned long));
++
++ if (!arch_get_random_long(&v))
++ break;
++
++ memcpy(p, &v, chunk);
++ p += chunk;
++ left -= chunk;
++ }
++
++ return nbytes - left;
++}
++EXPORT_SYMBOL(get_random_bytes_arch);
++
++enum {
++ POOL_BITS = BLAKE2S_HASH_SIZE * 8,
++ POOL_MIN_BITS = POOL_BITS /* No point in settling for less. */
++};
++
++/*
++ * Static global variables
++ */
++static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
++
++/**********************************************************************
++ *
++ * OS independent entropy store. Here are the functions which handle
++ * storing entropy in an entropy pool.
++ *
++ **********************************************************************/
++
++static struct {
++ struct blake2s_state hash;
++ spinlock_t lock;
++ unsigned int entropy_count;
++} input_pool = {
++ .hash.h = { BLAKE2S_IV0 ^ (0x01010000 | BLAKE2S_HASH_SIZE),
++ BLAKE2S_IV1, BLAKE2S_IV2, BLAKE2S_IV3, BLAKE2S_IV4,
++ BLAKE2S_IV5, BLAKE2S_IV6, BLAKE2S_IV7 },
++ .hash.outlen = BLAKE2S_HASH_SIZE,
++ .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
++};
++
++static void extract_entropy(void *buf, size_t nbytes);
++static bool drain_entropy(void *buf, size_t nbytes);
++
++static void crng_reseed(void);
++
++/*
++ * This function adds bytes into the entropy "pool". It does not
++ * update the entropy estimate. The caller should call
++ * credit_entropy_bits if this is appropriate.
++ */
++static void _mix_pool_bytes(const void *in, size_t nbytes)
++{
++ blake2s_update(&input_pool.hash, in, nbytes);
++}
++
++static void mix_pool_bytes(const void *in, size_t nbytes)
++{
++ unsigned long flags;
++
++ spin_lock_irqsave(&input_pool.lock, flags);
++ _mix_pool_bytes(in, nbytes);
++ spin_unlock_irqrestore(&input_pool.lock, flags);
++}
++
++struct fast_pool {
++ union {
++ u32 pool32[4];
++ u64 pool64[2];
++ };
++ unsigned long last;
++ u16 reg_idx;
++ u8 count;
++};
++
++/*
++ * This is a fast mixing routine used by the interrupt randomness
++ * collector. It's hardcoded for an 128 bit pool and assumes that any
++ * locks that might be needed are taken by the caller.
++ */
++static void fast_mix(u32 pool[4])
++{
++ u32 a = pool[0], b = pool[1];
++ u32 c = pool[2], d = pool[3];
++
++ a += b; c += d;
++ b = rol32(b, 6); d = rol32(d, 27);
++ d ^= a; b ^= c;
++
++ a += b; c += d;
++ b = rol32(b, 16); d = rol32(d, 14);
++ d ^= a; b ^= c;
++
++ a += b; c += d;
++ b = rol32(b, 6); d = rol32(d, 27);
++ d ^= a; b ^= c;
++
++ a += b; c += d;
++ b = rol32(b, 16); d = rol32(d, 14);
++ d ^= a; b ^= c;
++
++ pool[0] = a; pool[1] = b;
++ pool[2] = c; pool[3] = d;
++}
++
++static void credit_entropy_bits(size_t nbits)
++{
++ unsigned int entropy_count, orig, add;
++
++ if (!nbits)
++ return;
++
++ add = min_t(size_t, nbits, POOL_BITS);
++
++ do {
++ orig = READ_ONCE(input_pool.entropy_count);
++ entropy_count = min_t(unsigned int, POOL_BITS, orig + add);
++ } while (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig);
++
++ if (crng_init < 2 && entropy_count >= POOL_MIN_BITS)
++ crng_reseed();
++}
++
+ /*********************************************************************
+ *
+ * Entropy input management
+@@ -907,80 +1268,6 @@ static bool drain_entropy(void *buf, siz
+ return true;
+ }
+
+-#define warn_unseeded_randomness(previous) \
+- _warn_unseeded_randomness(__func__, (void *)_RET_IP_, (previous))
+-
+-static void _warn_unseeded_randomness(const char *func_name, void *caller, void **previous)
+-{
+-#ifdef CONFIG_WARN_ALL_UNSEEDED_RANDOM
+- const bool print_once = false;
+-#else
+- static bool print_once __read_mostly;
+-#endif
+-
+- if (print_once || crng_ready() ||
+- (previous && (caller == READ_ONCE(*previous))))
+- return;
+- WRITE_ONCE(*previous, caller);
+-#ifndef CONFIG_WARN_ALL_UNSEEDED_RANDOM
+- print_once = true;
+-#endif
+- if (__ratelimit(&unseeded_warning))
+- printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n",
+- func_name, caller, crng_init);
+-}
+-
+-/*
+- * This function is the exported kernel interface. It returns some
+- * number of good random numbers, suitable for key generation, seeding
+- * TCP sequence numbers, etc. It does not rely on the hardware random
+- * number generator. For random bytes direct from the hardware RNG
+- * (when available), use get_random_bytes_arch(). In order to ensure
+- * that the randomness provided by this function is okay, the function
+- * wait_for_random_bytes() should be called and return 0 at least once
+- * at any point prior.
+- */
+-static void _get_random_bytes(void *buf, size_t nbytes)
+-{
+- u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)];
+- u8 tmp[CHACHA20_BLOCK_SIZE];
+- size_t len;
+-
+- if (!nbytes)
+- return;
+-
+- len = min_t(size_t, 32, nbytes);
+- crng_make_state(chacha_state, buf, len);
+- nbytes -= len;
+- buf += len;
+-
+- while (nbytes) {
+- if (nbytes < CHACHA20_BLOCK_SIZE) {
+- chacha20_block(chacha_state, tmp);
+- memcpy(buf, tmp, nbytes);
+- memzero_explicit(tmp, sizeof(tmp));
+- break;
+- }
+-
+- chacha20_block(chacha_state, buf);
+- if (unlikely(chacha_state[12] == 0))
+- ++chacha_state[13];
+- nbytes -= CHACHA20_BLOCK_SIZE;
+- buf += CHACHA20_BLOCK_SIZE;
+- }
+-
+- memzero_explicit(chacha_state, sizeof(chacha_state));
+-}
+-
+-void get_random_bytes(void *buf, size_t nbytes)
+-{
+- static void *previous;
+-
+- warn_unseeded_randomness(&previous);
+- _get_random_bytes(buf, nbytes);
+-}
+-EXPORT_SYMBOL(get_random_bytes);
+-
+ /*
+ * Each time the timer fires, we expect that we got an unpredictable
+ * jump in the cycle counter. Even if the timer is running on another
+@@ -1030,134 +1317,6 @@ static void try_to_generate_entropy(void
+ mix_pool_bytes(&stack.now, sizeof(stack.now));
+ }
+
+-/*
+- * Wait for the urandom pool to be seeded and thus guaranteed to supply
+- * cryptographically secure random numbers. This applies to: the /dev/urandom
+- * device, the get_random_bytes function, and the get_random_{u32,u64,int,long}
+- * family of functions. Using any of these functions without first calling
+- * this function forfeits the guarantee of security.
+- *
+- * Returns: 0 if the urandom pool has been seeded.
+- * -ERESTARTSYS if the function was interrupted by a signal.
+- */
+-int wait_for_random_bytes(void)
+-{
+- if (likely(crng_ready()))
+- return 0;
+-
+- do {
+- int ret;
+- ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ);
+- if (ret)
+- return ret > 0 ? 0 : ret;
+-
+- try_to_generate_entropy();
+- } while (!crng_ready());
+-
+- return 0;
+-}
+-EXPORT_SYMBOL(wait_for_random_bytes);
+-
+-/*
+- * Returns whether or not the urandom pool has been seeded and thus guaranteed
+- * to supply cryptographically secure random numbers. This applies to: the
+- * /dev/urandom device, the get_random_bytes function, and the get_random_{u32,
+- * ,u64,int,long} family of functions.
+- *
+- * Returns: true if the urandom pool has been seeded.
+- * false if the urandom pool has not been seeded.
+- */
+-bool rng_is_initialized(void)
+-{
+- return crng_ready();
+-}
+-EXPORT_SYMBOL(rng_is_initialized);
+-
+-/*
+- * Add a callback function that will be invoked when the nonblocking
+- * pool is initialised.
+- *
+- * returns: 0 if callback is successfully added
+- * -EALREADY if pool is already initialised (callback not called)
+- * -ENOENT if module for callback is not alive
+- */
+-int add_random_ready_callback(struct random_ready_callback *rdy)
+-{
+- struct module *owner;
+- unsigned long flags;
+- int err = -EALREADY;
+-
+- if (crng_ready())
+- return err;
+-
+- owner = rdy->owner;
+- if (!try_module_get(owner))
+- return -ENOENT;
+-
+- spin_lock_irqsave(&random_ready_list_lock, flags);
+- if (crng_ready())
+- goto out;
+-
+- owner = NULL;
+-
+- list_add(&rdy->list, &random_ready_list);
+- err = 0;
+-
+-out:
+- spin_unlock_irqrestore(&random_ready_list_lock, flags);
+-
+- module_put(owner);
+-
+- return err;
+-}
+-EXPORT_SYMBOL(add_random_ready_callback);
+-
+-/*
+- * Delete a previously registered readiness callback function.
+- */
+-void del_random_ready_callback(struct random_ready_callback *rdy)
+-{
+- unsigned long flags;
+- struct module *owner = NULL;
+-
+- spin_lock_irqsave(&random_ready_list_lock, flags);
+- if (!list_empty(&rdy->list)) {
+- list_del_init(&rdy->list);
+- owner = rdy->owner;
+- }
+- spin_unlock_irqrestore(&random_ready_list_lock, flags);
+-
+- module_put(owner);
+-}
+-EXPORT_SYMBOL(del_random_ready_callback);
+-
+-/*
+- * This function will use the architecture-specific hardware random
+- * number generator if it is available. It is not recommended for
+- * use. Use get_random_bytes() instead. It returns the number of
+- * bytes filled in.
+- */
+-size_t __must_check get_random_bytes_arch(void *buf, size_t nbytes)
+-{
+- size_t left = nbytes;
+- u8 *p = buf;
+-
+- while (left) {
+- unsigned long v;
+- size_t chunk = min_t(size_t, left, sizeof(unsigned long));
+-
+- if (!arch_get_random_long(&v))
+- break;
+-
+- memcpy(p, &v, chunk);
+- p += chunk;
+- left -= chunk;
+- }
+-
+- return nbytes - left;
+-}
+-EXPORT_SYMBOL(get_random_bytes_arch);
+-
+ static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
+ static int __init parse_trust_cpu(char *arg)
+ {
+@@ -1508,126 +1667,6 @@ struct ctl_table random_table[] = {
+ };
+ #endif /* CONFIG_SYSCTL */
+
+-struct batched_entropy {
+- union {
+- /*
+- * We make this 1.5x a ChaCha block, so that we get the
+- * remaining 32 bytes from fast key erasure, plus one full
+- * block from the detached ChaCha state. We can increase
+- * the size of this later if needed so long as we keep the
+- * formula of (integer_blocks + 0.5) * CHACHA20_BLOCK_SIZE.
+- */
+- u64 entropy_u64[CHACHA20_BLOCK_SIZE * 3 / (2 * sizeof(u64))];
+- u32 entropy_u32[CHACHA20_BLOCK_SIZE * 3 / (2 * sizeof(u32))];
+- };
+- unsigned long generation;
+- unsigned int position;
+-};
+-
+-/*
+- * Get a random word for internal kernel use only. The quality of the random
+- * number is good as /dev/urandom. In order to ensure that the randomness
+- * provided by this function is okay, the function wait_for_random_bytes()
+- * should be called and return 0 at least once at any point prior.
+- */
+-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = {
+- .position = UINT_MAX
+-};
+-
+-u64 get_random_u64(void)
+-{
+- u64 ret;
+- unsigned long flags;
+- struct batched_entropy *batch;
+- static void *previous;
+- unsigned long next_gen;
+-
+- warn_unseeded_randomness(&previous);
+-
+- local_irq_save(flags);
+- batch = raw_cpu_ptr(&batched_entropy_u64);
+-
+- next_gen = READ_ONCE(base_crng.generation);
+- if (batch->position >= ARRAY_SIZE(batch->entropy_u64) ||
+- next_gen != batch->generation) {
+- _get_random_bytes(batch->entropy_u64, sizeof(batch->entropy_u64));
+- batch->position = 0;
+- batch->generation = next_gen;
+- }
+-
+- ret = batch->entropy_u64[batch->position];
+- batch->entropy_u64[batch->position] = 0;
+- ++batch->position;
+- local_irq_restore(flags);
+- return ret;
+-}
+-EXPORT_SYMBOL(get_random_u64);
+-
+-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = {
+- .position = UINT_MAX
+-};
+-
+-u32 get_random_u32(void)
+-{
+- u32 ret;
+- unsigned long flags;
+- struct batched_entropy *batch;
+- static void *previous;
+- unsigned long next_gen;
+-
+- warn_unseeded_randomness(&previous);
+-
+- local_irq_save(flags);
+- batch = raw_cpu_ptr(&batched_entropy_u32);
+-
+- next_gen = READ_ONCE(base_crng.generation);
+- if (batch->position >= ARRAY_SIZE(batch->entropy_u32) ||
+- next_gen != batch->generation) {
+- _get_random_bytes(batch->entropy_u32, sizeof(batch->entropy_u32));
+- batch->position = 0;
+- batch->generation = next_gen;
+- }
+-
+- ret = batch->entropy_u32[batch->position];
+- batch->entropy_u32[batch->position] = 0;
+- ++batch->position;
+- local_irq_restore(flags);
+- return ret;
+-}
+-EXPORT_SYMBOL(get_random_u32);
+-
+-/**
+- * randomize_page - Generate a random, page aligned address
+- * @start: The smallest acceptable address the caller will take.
+- * @range: The size of the area, starting at @start, within which the
+- * random address must fall.
+- *
+- * If @start + @range would overflow, @range is capped.
+- *
+- * NOTE: Historical use of randomize_range, which this replaces, presumed that
+- * @start was already page aligned. We now align it regardless.
+- *
+- * Return: A page aligned address within [start, start + range). On error,
+- * @start is returned.
+- */
+-unsigned long randomize_page(unsigned long start, unsigned long range)
+-{
+- if (!PAGE_ALIGNED(start)) {
+- range -= PAGE_ALIGN(start) - start;
+- start = PAGE_ALIGN(start);
+- }
+-
+- if (start > ULONG_MAX - range)
+- range = ULONG_MAX - start;
+-
+- range >>= PAGE_SHIFT;
+-
+- if (range == 0)
+- return start;
+-
+- return start + (get_random_long() % range << PAGE_SHIFT);
+-}
+-
+ /* Interface for in-kernel drivers of true hardware RNGs.
+ * Those devices may produce endless random bits and will be throttled
+ * when our pool is full.
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 11 Feb 2022 12:53:34 +0100
+Subject: random: group sysctl functions
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 0deff3c43206c24e746b1410f11125707ad3040e upstream.
+
+This pulls all of the sysctl-focused functions into the sixth labeled
+section.
+
+No functional changes.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 35 ++++++++++++++++++++++++++++++-----
+ 1 file changed, 30 insertions(+), 5 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1686,9 +1686,34 @@ const struct file_operations urandom_fop
+ .llseek = noop_llseek,
+ };
+
++
+ /********************************************************************
+ *
+- * Sysctl interface
++ * Sysctl interface.
++ *
++ * These are partly unused legacy knobs with dummy values to not break
++ * userspace and partly still useful things. They are usually accessible
++ * in /proc/sys/kernel/random/ and are as follows:
++ *
++ * - boot_id - a UUID representing the current boot.
++ *
++ * - uuid - a random UUID, different each time the file is read.
++ *
++ * - poolsize - the number of bits of entropy that the input pool can
++ * hold, tied to the POOL_BITS constant.
++ *
++ * - entropy_avail - the number of bits of entropy currently in the
++ * input pool. Always <= poolsize.
++ *
++ * - write_wakeup_threshold - the amount of entropy in the input pool
++ * below which write polls to /dev/random will unblock, requesting
++ * more entropy, tied to the POOL_MIN_BITS constant. It is writable
++ * to avoid breaking old userspaces, but writing to it does not
++ * change any behavior of the RNG.
++ *
++ * - urandom_min_reseed_secs - fixed to the meaningless value "60".
++ * It is writable to avoid breaking old userspaces, but writing
++ * to it does not change any behavior of the RNG.
+ *
+ ********************************************************************/
+
+@@ -1696,8 +1721,8 @@ const struct file_operations urandom_fop
+
+ #include <linux/sysctl.h>
+
+-static int random_min_urandom_seed = 60;
+-static int random_write_wakeup_bits = POOL_MIN_BITS;
++static int sysctl_random_min_urandom_seed = 60;
++static int sysctl_random_write_wakeup_bits = POOL_MIN_BITS;
+ static int sysctl_poolsize = POOL_BITS;
+ static char sysctl_bootid[16];
+
+@@ -1755,14 +1780,14 @@ struct ctl_table random_table[] = {
+ },
+ {
+ .procname = "write_wakeup_threshold",
+- .data = &random_write_wakeup_bits,
++ .data = &sysctl_random_write_wakeup_bits,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
+ {
+ .procname = "urandom_min_reseed_secs",
+- .data = &random_min_urandom_seed,
++ .data = &sysctl_random_min_urandom_seed,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 11 Feb 2022 12:53:34 +0100
+Subject: random: group userspace read/write functions
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit a6adf8e7a605250b911e94793fd077933709ff9e upstream.
+
+This pulls all of the userspace read/write-focused functions into the
+fifth labeled section.
+
+No functional changes.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 125 ++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 77 insertions(+), 48 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1472,30 +1472,61 @@ static void try_to_generate_entropy(void
+ mix_pool_bytes(&stack.now, sizeof(stack.now));
+ }
+
+-static ssize_t urandom_read(struct file *file, char __user *buf, size_t nbytes,
+- loff_t *ppos)
++
++/**********************************************************************
++ *
++ * Userspace reader/writer interfaces.
++ *
++ * getrandom(2) is the primary modern interface into the RNG and should
++ * be used in preference to anything else.
++ *
++ * Reading from /dev/random has the same functionality as calling
++ * getrandom(2) with flags=0. In earlier versions, however, it had
++ * vastly different semantics and should therefore be avoided, to
++ * prevent backwards compatibility issues.
++ *
++ * Reading from /dev/urandom has the same functionality as calling
++ * getrandom(2) with flags=GRND_INSECURE. Because it does not block
++ * waiting for the RNG to be ready, it should not be used.
++ *
++ * Writing to either /dev/random or /dev/urandom adds entropy to
++ * the input pool but does not credit it.
++ *
++ * Polling on /dev/random indicates when the RNG is initialized, on
++ * the read side, and when it wants new entropy, on the write side.
++ *
++ * Both /dev/random and /dev/urandom have the same set of ioctls for
++ * adding entropy, getting the entropy count, zeroing the count, and
++ * reseeding the crng.
++ *
++ **********************************************************************/
++
++SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, unsigned int,
++ flags)
+ {
+- static int maxwarn = 10;
++ if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE))
++ return -EINVAL;
+
+- if (!crng_ready() && maxwarn > 0) {
+- maxwarn--;
+- if (__ratelimit(&urandom_warning))
+- pr_notice("%s: uninitialized urandom read (%zd bytes read)\n",
+- current->comm, nbytes);
+- }
++ /*
++ * Requesting insecure and blocking randomness at the same time makes
++ * no sense.
++ */
++ if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM))
++ return -EINVAL;
+
+- return get_random_bytes_user(buf, nbytes);
+-}
++ if (count > INT_MAX)
++ count = INT_MAX;
+
+-static ssize_t random_read(struct file *file, char __user *buf, size_t nbytes,
+- loff_t *ppos)
+-{
+- int ret;
++ if (!(flags & GRND_INSECURE) && !crng_ready()) {
++ int ret;
+
+- ret = wait_for_random_bytes();
+- if (ret != 0)
+- return ret;
+- return get_random_bytes_user(buf, nbytes);
++ if (flags & GRND_NONBLOCK)
++ return -EAGAIN;
++ ret = wait_for_random_bytes();
++ if (unlikely(ret))
++ return ret;
++ }
++ return get_random_bytes_user(buf, count);
+ }
+
+ static unsigned int random_poll(struct file *file, poll_table *wait)
+@@ -1547,6 +1578,32 @@ static ssize_t random_write(struct file
+ return (ssize_t)count;
+ }
+
++static ssize_t urandom_read(struct file *file, char __user *buf, size_t nbytes,
++ loff_t *ppos)
++{
++ static int maxwarn = 10;
++
++ if (!crng_ready() && maxwarn > 0) {
++ maxwarn--;
++ if (__ratelimit(&urandom_warning))
++ pr_notice("%s: uninitialized urandom read (%zd bytes read)\n",
++ current->comm, nbytes);
++ }
++
++ return get_random_bytes_user(buf, nbytes);
++}
++
++static ssize_t random_read(struct file *file, char __user *buf, size_t nbytes,
++ loff_t *ppos)
++{
++ int ret;
++
++ ret = wait_for_random_bytes();
++ if (ret != 0)
++ return ret;
++ return get_random_bytes_user(buf, nbytes);
++}
++
+ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
+ {
+ int size, ent_count;
+@@ -1555,7 +1612,7 @@ static long random_ioctl(struct file *f,
+
+ switch (cmd) {
+ case RNDGETENTCNT:
+- /* inherently racy, no point locking */
++ /* Inherently racy, no point locking. */
+ if (put_user(input_pool.entropy_count, p))
+ return -EFAULT;
+ return 0;
+@@ -1629,34 +1686,6 @@ const struct file_operations urandom_fop
+ .llseek = noop_llseek,
+ };
+
+-SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, unsigned int,
+- flags)
+-{
+- if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE))
+- return -EINVAL;
+-
+- /*
+- * Requesting insecure and blocking randomness at the same time makes
+- * no sense.
+- */
+- if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM))
+- return -EINVAL;
+-
+- if (count > INT_MAX)
+- count = INT_MAX;
+-
+- if (!(flags & GRND_INSECURE) && !crng_ready()) {
+- int ret;
+-
+- if (flags & GRND_NONBLOCK)
+- return -EAGAIN;
+- ret = wait_for_random_bytes();
+- if (unlikely(ret))
+- return ret;
+- }
+- return get_random_bytes_user(buf, count);
+-}
+-
+ /********************************************************************
+ *
+ * Sysctl interface
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 5 May 2022 02:20:22 +0200
+Subject: random: handle latent entropy and command line from random_init()
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 2f14062bb14b0fcfcc21e6dc7d5b5c0d25966164 upstream.
+
+Currently, start_kernel() adds latent entropy and the command line to
+the entropy bool *after* the RNG has been initialized, deferring when
+it's actually used by things like stack canaries until the next time
+the pool is seeded. This surely is not intended.
+
+Rather than splitting up which entropy gets added where and when between
+start_kernel() and random_init(), just do everything in random_init(),
+which should eliminate these kinds of bugs in the future.
+
+While we're at it, rename the awkwardly titled "rand_initialize()" to
+the more standard "random_init()" nomenclature.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 13 ++++++++-----
+ include/linux/random.h | 16 +++++++---------
+ init/main.c | 10 +++-------
+ 3 files changed, 18 insertions(+), 21 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -883,12 +883,13 @@ early_param("random.trust_bootloader", p
+
+ /*
+ * The first collection of entropy occurs at system boot while interrupts
+- * are still turned off. Here we push in RDSEED, a timestamp, and utsname().
+- * Depending on the above configuration knob, RDSEED may be considered
+- * sufficient for initialization. Note that much earlier setup may already
+- * have pushed entropy into the input pool by the time we get here.
++ * are still turned off. Here we push in latent entropy, RDSEED, a timestamp,
++ * utsname(), and the command line. Depending on the above configuration knob,
++ * RDSEED may be considered sufficient for initialization. Note that much
++ * earlier setup may already have pushed entropy into the input pool by the
++ * time we get here.
+ */
+-int __init rand_initialize(void)
++int __init random_init(const char *command_line)
+ {
+ size_t i;
+ ktime_t now = ktime_get_real();
+@@ -910,6 +911,8 @@ int __init rand_initialize(void)
+ }
+ _mix_pool_bytes(&now, sizeof(now));
+ _mix_pool_bytes(utsname(), sizeof(*(utsname())));
++ _mix_pool_bytes(command_line, strlen(command_line));
++ add_latent_entropy();
+
+ if (crng_ready())
+ crng_reseed();
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -14,26 +14,24 @@ struct notifier_block;
+
+ extern void add_device_randomness(const void *, size_t);
+ extern void add_bootloader_randomness(const void *, size_t);
++extern void add_input_randomness(unsigned int type, unsigned int code,
++ unsigned int value) __latent_entropy;
++extern void add_interrupt_randomness(int irq) __latent_entropy;
++extern void add_hwgenerator_randomness(const void *buffer, size_t count,
++ size_t entropy);
+
+ #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
+ static inline void add_latent_entropy(void)
+ {
+- add_device_randomness((const void *)&latent_entropy,
+- sizeof(latent_entropy));
++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
+ }
+ #else
+ static inline void add_latent_entropy(void) {}
+ #endif
+
+-extern void add_input_randomness(unsigned int type, unsigned int code,
+- unsigned int value) __latent_entropy;
+-extern void add_interrupt_randomness(int irq) __latent_entropy;
+-extern void add_hwgenerator_randomness(const void *buffer, size_t count,
+- size_t entropy);
+-
+ extern void get_random_bytes(void *buf, size_t nbytes);
+ extern int wait_for_random_bytes(void);
+-extern int __init rand_initialize(void);
++extern int __init random_init(const char *command_line);
+ extern bool rng_is_initialized(void);
+ extern int register_random_ready_notifier(struct notifier_block *nb);
+ extern int unregister_random_ready_notifier(struct notifier_block *nb);
+--- a/init/main.c
++++ b/init/main.c
+@@ -612,15 +612,11 @@ asmlinkage __visible void __init start_k
+ /*
+ * For best initial stack canary entropy, prepare it after:
+ * - setup_arch() for any UEFI RNG entropy and boot cmdline access
+- * - timekeeping_init() for ktime entropy used in rand_initialize()
++ * - timekeeping_init() for ktime entropy used in random_init()
+ * - time_init() for making random_get_entropy() work on some platforms
+- * - rand_initialize() to get any arch-specific entropy like RDRAND
+- * - add_latent_entropy() to get any latent entropy
+- * - adding command line entropy
++ * - random_init() to initialize the RNG from from early entropy sources
+ */
+- rand_initialize();
+- add_latent_entropy();
+- add_device_randomness(command_line, strlen(command_line));
++ random_init(command_line);
+ boot_init_stack_canary();
+
+ sched_clock_postinit();
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+Date: Wed, 29 Dec 2021 22:10:07 +0100
+Subject: random: harmonize "crng init done" messages
+
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+
+commit 161212c7fd1d9069b232785c75492e50941e2ea8 upstream.
+
+We print out "crng init done" for !TRUST_CPU, so we should also print
+out the same for TRUST_CPU.
+
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -832,7 +832,7 @@ static void __init crng_initialize_prima
+ invalidate_batched_entropy();
+ numa_crng_init();
+ crng_init = 2;
+- pr_notice("crng done (trusting CPU's manufacturer)\n");
++ pr_notice("crng init done (trusting CPU's manufacturer)\n");
+ }
+ crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+ }
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 6 May 2022 23:19:43 +0200
+Subject: random: help compiler out with fast_mix() by using simpler arguments
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 791332b3cbb080510954a4c152ce02af8832eac9 upstream.
+
+Now that fast_mix() has more than one caller, gcc no longer inlines it.
+That's fine. But it also doesn't handle the compound literal argument we
+pass it very efficiently, nor does it handle the loop as well as it
+could. So just expand the code to spell out this function so that it
+generates the same code as it did before. Performance-wise, this now
+behaves as it did before the last commit. The difference in actual code
+size on x86 is 45 bytes, which is less than a cache line.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 44 +++++++++++++++++++++++---------------------
+ 1 file changed, 23 insertions(+), 21 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1026,25 +1026,30 @@ static DEFINE_PER_CPU(struct fast_pool,
+ * and therefore this has no security on its own. s represents the
+ * four-word SipHash state, while v represents a two-word input.
+ */
+-static void fast_mix(unsigned long s[4], const unsigned long v[2])
++static void fast_mix(unsigned long s[4], unsigned long v1, unsigned long v2)
+ {
+- size_t i;
+-
+- for (i = 0; i < 2; ++i) {
+- s[3] ^= v[i];
+ #ifdef CONFIG_64BIT
+- s[0] += s[1]; s[1] = rol64(s[1], 13); s[1] ^= s[0]; s[0] = rol64(s[0], 32);
+- s[2] += s[3]; s[3] = rol64(s[3], 16); s[3] ^= s[2];
+- s[0] += s[3]; s[3] = rol64(s[3], 21); s[3] ^= s[0];
+- s[2] += s[1]; s[1] = rol64(s[1], 17); s[1] ^= s[2]; s[2] = rol64(s[2], 32);
++#define PERM() do { \
++ s[0] += s[1]; s[1] = rol64(s[1], 13); s[1] ^= s[0]; s[0] = rol64(s[0], 32); \
++ s[2] += s[3]; s[3] = rol64(s[3], 16); s[3] ^= s[2]; \
++ s[0] += s[3]; s[3] = rol64(s[3], 21); s[3] ^= s[0]; \
++ s[2] += s[1]; s[1] = rol64(s[1], 17); s[1] ^= s[2]; s[2] = rol64(s[2], 32); \
++} while (0)
+ #else
+- s[0] += s[1]; s[1] = rol32(s[1], 5); s[1] ^= s[0]; s[0] = rol32(s[0], 16);
+- s[2] += s[3]; s[3] = rol32(s[3], 8); s[3] ^= s[2];
+- s[0] += s[3]; s[3] = rol32(s[3], 7); s[3] ^= s[0];
+- s[2] += s[1]; s[1] = rol32(s[1], 13); s[1] ^= s[2]; s[2] = rol32(s[2], 16);
++#define PERM() do { \
++ s[0] += s[1]; s[1] = rol32(s[1], 5); s[1] ^= s[0]; s[0] = rol32(s[0], 16); \
++ s[2] += s[3]; s[3] = rol32(s[3], 8); s[3] ^= s[2]; \
++ s[0] += s[3]; s[3] = rol32(s[3], 7); s[3] ^= s[0]; \
++ s[2] += s[1]; s[1] = rol32(s[1], 13); s[1] ^= s[2]; s[2] = rol32(s[2], 16); \
++} while (0)
+ #endif
+- s[0] ^= v[i];
+- }
++
++ s[3] ^= v1;
++ PERM();
++ s[0] ^= v1;
++ s[3] ^= v2;
++ PERM();
++ s[0] ^= v2;
+ }
+
+ #ifdef CONFIG_SMP
+@@ -1114,10 +1119,8 @@ void add_interrupt_randomness(int irq)
+ struct pt_regs *regs = get_irq_regs();
+ unsigned int new_count;
+
+- fast_mix(fast_pool->pool, (unsigned long[2]){
+- entropy,
+- (regs ? instruction_pointer(regs) : _RET_IP_) ^ swab(irq)
+- });
++ fast_mix(fast_pool->pool, entropy,
++ (regs ? instruction_pointer(regs) : _RET_IP_) ^ swab(irq));
+ new_count = ++fast_pool->count;
+
+ if (new_count & MIX_INFLIGHT)
+@@ -1157,8 +1160,7 @@ static void add_timer_randomness(struct
+ * sometime after, so mix into the fast pool.
+ */
+ if (in_irq()) {
+- fast_mix(this_cpu_ptr(&irq_randomness)->pool,
+- (unsigned long[2]){ entropy, num });
++ fast_mix(this_cpu_ptr(&irq_randomness)->pool, entropy, num);
+ } else {
+ spin_lock_irqsave(&input_pool.lock, flags);
+ _mix_pool_bytes(&entropy, sizeof(entropy));
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Andy Lutomirski <luto@kernel.org>
+Date: Mon, 23 Dec 2019 00:20:47 -0800
+Subject: random: ignore GRND_RANDOM in getentropy(2)
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 48446f198f9adcb499b30332488dfd5bc3f176f6 upstream.
+
+The separate blocking pool is going away. Start by ignoring
+GRND_RANDOM in getentropy(2).
+
+This should not materially break any API. Any code that worked
+without this change should work at least as well with this change.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Link: https://lore.kernel.org/r/705c5a091b63cc5da70c99304bb97e0109be0a26.1577088521.git.luto@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 3 ---
+ include/uapi/linux/random.h | 2 +-
+ 2 files changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -2147,9 +2147,6 @@ SYSCALL_DEFINE3(getrandom, char __user *
+ if (count > INT_MAX)
+ count = INT_MAX;
+
+- if (flags & GRND_RANDOM)
+- return _random_read(flags & GRND_NONBLOCK, buf, count);
+-
+ if (!(flags & GRND_INSECURE) && !crng_ready()) {
+ if (flags & GRND_NONBLOCK)
+ return -EAGAIN;
+--- a/include/uapi/linux/random.h
++++ b/include/uapi/linux/random.h
+@@ -48,7 +48,7 @@ struct rand_pool_info {
+ * Flags for getrandom(2)
+ *
+ * GRND_NONBLOCK Don't block and return EAGAIN instead
+- * GRND_RANDOM Use the /dev/random pool instead of /dev/urandom
++ * GRND_RANDOM No effect
+ * GRND_INSECURE Return non-cryptographic random bytes
+ */
+ #define GRND_NONBLOCK 0x0001
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 21 Mar 2021 22:13:47 -0700
+Subject: random: initialize ChaCha20 constants with correct endianness
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit a181e0fdb2164268274453b5b291589edbb9b22d upstream.
+
+On big endian CPUs, the ChaCha20-based CRNG is using the wrong
+endianness for the ChaCha20 constants.
+
+This doesn't matter cryptographically, but technically it means it's not
+ChaCha20 anymore. Fix it to always use the standard constants.
+
+Cc: linux-crypto@vger.kernel.org
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Jann Horn <jannh@google.com>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 4 ++--
+ include/crypto/chacha20.h | 8 ++++++++
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -816,7 +816,7 @@ static bool __init crng_init_try_arch_ea
+
+ static void crng_initialize_secondary(struct crng_state *crng)
+ {
+- memcpy(&crng->state[0], "expand 32-byte k", 16);
++ chacha_init_consts(crng->state);
+ _get_random_bytes(&crng->state[4], sizeof(__u32) * 12);
+ crng_init_try_arch(crng);
+ crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+@@ -824,7 +824,7 @@ static void crng_initialize_secondary(st
+
+ static void __init crng_initialize_primary(struct crng_state *crng)
+ {
+- memcpy(&crng->state[0], "expand 32-byte k", 16);
++ chacha_init_consts(crng->state);
+ _extract_entropy(&input_pool, &crng->state[4], sizeof(__u32) * 12, 0);
+ if (crng_init_try_arch_early(crng) && trust_cpu && crng_init < 2) {
+ invalidate_batched_entropy();
+--- a/include/crypto/chacha20.h
++++ b/include/crypto/chacha20.h
+@@ -25,4 +25,12 @@ int crypto_chacha20_setkey(struct crypto
+ unsigned int keysize);
+ int crypto_chacha20_crypt(struct skcipher_request *req);
+
++static inline void chacha_init_consts(u32 *state)
++{
++ state[0] = 0x61707865; /* "expa" */
++ state[1] = 0x3320646e; /* "nd 3" */
++ state[2] = 0x79622d32; /* "2-by" */
++ state[3] = 0x6b206574; /* "te k" */
++}
++
+ #endif
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 8 Feb 2022 12:40:14 +0100
+Subject: random: inline leaves of rand_initialize()
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 8566417221fcec51346ec164e920dacb979c6b5f upstream.
+
+This is a preparatory commit for the following one. We simply inline the
+various functions that rand_initialize() calls that have no other
+callers. The compiler was doing this anyway before. Doing this will
+allow us to reorganize this after. We can then move the trust_cpu and
+parse_trust_cpu definitions a bit closer to where they're actually used,
+which makes the code easier to read.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 90 ++++++++++++++++++--------------------------------
+ 1 file changed, 33 insertions(+), 57 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -476,42 +476,6 @@ static DECLARE_WAIT_QUEUE_HEAD(crng_init
+
+ static void invalidate_batched_entropy(void);
+
+-static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
+-static int __init parse_trust_cpu(char *arg)
+-{
+- return kstrtobool(arg, &trust_cpu);
+-}
+-early_param("random.trust_cpu", parse_trust_cpu);
+-
+-static bool __init crng_init_try_arch_early(void)
+-{
+- int i;
+- bool arch_init = true;
+- unsigned long rv;
+-
+- for (i = 4; i < 16; i++) {
+- if (!arch_get_random_seed_long_early(&rv) &&
+- !arch_get_random_long_early(&rv)) {
+- rv = random_get_entropy();
+- arch_init = false;
+- }
+- primary_crng.state[i] ^= rv;
+- }
+-
+- return arch_init;
+-}
+-
+-static void __init crng_initialize(void)
+-{
+- extract_entropy(&primary_crng.state[4], sizeof(u32) * 12);
+- if (crng_init_try_arch_early() && trust_cpu && crng_init < 2) {
+- invalidate_batched_entropy();
+- crng_init = 2;
+- pr_notice("crng init done (trusting CPU's manufacturer)\n");
+- }
+- primary_crng.init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+-}
+-
+ /*
+ * crng_fast_load() can be called by code in the interrupt service
+ * path. So we can't afford to dilly-dally. Returns the number of
+@@ -1220,17 +1184,28 @@ int __must_check get_random_bytes_arch(v
+ }
+ EXPORT_SYMBOL(get_random_bytes_arch);
+
++static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
++static int __init parse_trust_cpu(char *arg)
++{
++ return kstrtobool(arg, &trust_cpu);
++}
++early_param("random.trust_cpu", parse_trust_cpu);
++
+ /*
+- * init_std_data - initialize pool with system data
+- *
+- * This function clears the pool's entropy count and mixes some system
+- * data into the pool to prepare it for use. The pool is not cleared
+- * as that can only decrease the entropy in the pool.
++ * Note that setup_arch() may call add_device_randomness()
++ * long before we get here. This allows seeding of the pools
++ * with some platform dependent data very early in the boot
++ * process. But it limits our options here. We must use
++ * statically allocated structures that already have all
++ * initializations complete at compile time. We should also
++ * take care not to overwrite the precious per platform data
++ * we were given.
+ */
+-static void __init init_std_data(void)
++int __init rand_initialize(void)
+ {
+ int i;
+ ktime_t now = ktime_get_real();
++ bool arch_init = true;
+ unsigned long rv;
+
+ mix_pool_bytes(&now, sizeof(now));
+@@ -1241,22 +1216,23 @@ static void __init init_std_data(void)
+ mix_pool_bytes(&rv, sizeof(rv));
+ }
+ mix_pool_bytes(utsname(), sizeof(*(utsname())));
+-}
+
+-/*
+- * Note that setup_arch() may call add_device_randomness()
+- * long before we get here. This allows seeding of the pools
+- * with some platform dependent data very early in the boot
+- * process. But it limits our options here. We must use
+- * statically allocated structures that already have all
+- * initializations complete at compile time. We should also
+- * take care not to overwrite the precious per platform data
+- * we were given.
+- */
+-int __init rand_initialize(void)
+-{
+- init_std_data();
+- crng_initialize();
++ extract_entropy(&primary_crng.state[4], sizeof(u32) * 12);
++ for (i = 4; i < 16; i++) {
++ if (!arch_get_random_seed_long_early(&rv) &&
++ !arch_get_random_long_early(&rv)) {
++ rv = random_get_entropy();
++ arch_init = false;
++ }
++ primary_crng.state[i] ^= rv;
++ }
++ if (arch_init && trust_cpu && crng_init < 2) {
++ invalidate_batched_entropy();
++ crng_init = 2;
++ pr_notice("crng init done (trusting CPU's manufacturer)\n");
++ }
++ primary_crng.init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
++
+ if (ratelimit_disable) {
+ urandom_warning.interval = 0;
+ unseeded_warning.interval = 0;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 12 Apr 2022 19:59:57 +0200
+Subject: random: insist on random_get_entropy() existing in order to simplify
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 4b758eda851eb9336ca86a0041a4d3da55f66511 upstream.
+
+All platforms are now guaranteed to provide some value for
+random_get_entropy(). In case some bug leads to this not being so, we
+print a warning, because that indicates that something is really very
+wrong (and likely other things are impacted too). This should never be
+hit, but it's a good and cheap way of finding out if something ever is
+problematic.
+
+Since we now have viable fallback code for random_get_entropy() on all
+platforms, which is, in the worst case, not worse than jiffies, we can
+count on getting the best possible value out of it. That means there's
+no longer a use for using jiffies as entropy input. It also means we no
+longer have a reason for doing the round-robin register flow in the IRQ
+handler, which was always of fairly dubious value.
+
+Instead we can greatly simplify the IRQ handler inputs and also unify
+the construction between 64-bits and 32-bits. We now collect the cycle
+counter and the return address, since those are the two things that
+matter. Because the return address and the irq number are likely
+related, to the extent we mix in the irq number, we can just xor it into
+the top unchanging bytes of the return address, rather than the bottom
+changing bytes of the cycle counter as before. Then, we can do a fixed 2
+rounds of SipHash/HSipHash. Finally, we use the same construction of
+hashing only half of the [H]SipHash state on 32-bit and 64-bit. We're
+not actually discarding any entropy, since that entropy is carried
+through until the next time. And more importantly, it lets us do the
+same sponge-like construction everywhere.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 86 +++++++++++++++-----------------------------------
+ 1 file changed, 26 insertions(+), 60 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1017,15 +1017,14 @@ int __init rand_initialize(void)
+ */
+ void add_device_randomness(const void *buf, size_t size)
+ {
+- unsigned long cycles = random_get_entropy();
+- unsigned long flags, now = jiffies;
++ unsigned long entropy = random_get_entropy();
++ unsigned long flags;
+
+ if (crng_init == 0 && size)
+ crng_pre_init_inject(buf, size, false);
+
+ spin_lock_irqsave(&input_pool.lock, flags);
+- _mix_pool_bytes(&cycles, sizeof(cycles));
+- _mix_pool_bytes(&now, sizeof(now));
++ _mix_pool_bytes(&entropy, sizeof(entropy));
+ _mix_pool_bytes(buf, size);
+ spin_unlock_irqrestore(&input_pool.lock, flags);
+ }
+@@ -1048,12 +1047,11 @@ struct timer_rand_state {
+ */
+ static void add_timer_randomness(struct timer_rand_state *state, unsigned int num)
+ {
+- unsigned long cycles = random_get_entropy(), now = jiffies, flags;
++ unsigned long entropy = random_get_entropy(), now = jiffies, flags;
+ long delta, delta2, delta3;
+
+ spin_lock_irqsave(&input_pool.lock, flags);
+- _mix_pool_bytes(&cycles, sizeof(cycles));
+- _mix_pool_bytes(&now, sizeof(now));
++ _mix_pool_bytes(&entropy, sizeof(entropy));
+ _mix_pool_bytes(&num, sizeof(num));
+ spin_unlock_irqrestore(&input_pool.lock, flags);
+
+@@ -1181,7 +1179,6 @@ struct fast_pool {
+ unsigned long pool[4];
+ unsigned long last;
+ unsigned int count;
+- u16 reg_idx;
+ };
+
+ static DEFINE_PER_CPU(struct fast_pool, irq_randomness) = {
+@@ -1199,13 +1196,13 @@ static DEFINE_PER_CPU(struct fast_pool,
+ * This is [Half]SipHash-1-x, starting from an empty key. Because
+ * the key is fixed, it assumes that its inputs are non-malicious,
+ * and therefore this has no security on its own. s represents the
+- * 128 or 256-bit SipHash state, while v represents a 128-bit input.
++ * four-word SipHash state, while v represents a two-word input.
+ */
+-static void fast_mix(unsigned long s[4], const unsigned long *v)
++static void fast_mix(unsigned long s[4], const unsigned long v[2])
+ {
+ size_t i;
+
+- for (i = 0; i < 16 / sizeof(long); ++i) {
++ for (i = 0; i < 2; ++i) {
+ s[3] ^= v[i];
+ #ifdef CONFIG_64BIT
+ s[0] += s[1]; s[1] = rol64(s[1], 13); s[1] ^= s[0]; s[0] = rol64(s[0], 32);
+@@ -1245,33 +1242,17 @@ int random_online_cpu(unsigned int cpu)
+ }
+ #endif
+
+-static unsigned long get_reg(struct fast_pool *f, struct pt_regs *regs)
+-{
+- unsigned long *ptr = (unsigned long *)regs;
+- unsigned int idx;
+-
+- if (regs == NULL)
+- return 0;
+- idx = READ_ONCE(f->reg_idx);
+- if (idx >= sizeof(struct pt_regs) / sizeof(unsigned long))
+- idx = 0;
+- ptr += idx++;
+- WRITE_ONCE(f->reg_idx, idx);
+- return *ptr;
+-}
+-
+ static void mix_interrupt_randomness(struct work_struct *work)
+ {
+ struct fast_pool *fast_pool = container_of(work, struct fast_pool, mix);
+ /*
+- * The size of the copied stack pool is explicitly 16 bytes so that we
+- * tax mix_pool_byte()'s compression function the same amount on all
+- * platforms. This means on 64-bit we copy half the pool into this,
+- * while on 32-bit we copy all of it. The entropy is supposed to be
+- * sufficiently dispersed between bits that in the sponge-like
+- * half case, on average we don't wind up "losing" some.
++ * The size of the copied stack pool is explicitly 2 longs so that we
++ * only ever ingest half of the siphash output each time, retaining
++ * the other half as the next "key" that carries over. The entropy is
++ * supposed to be sufficiently dispersed between bits so on average
++ * we don't wind up "losing" some.
+ */
+- u8 pool[16];
++ unsigned long pool[2];
+
+ /* Check to see if we're running on the wrong CPU due to hotplug. */
+ local_irq_disable();
+@@ -1303,36 +1284,21 @@ static void mix_interrupt_randomness(str
+ void add_interrupt_randomness(int irq)
+ {
+ enum { MIX_INFLIGHT = 1U << 31 };
+- unsigned long cycles = random_get_entropy(), now = jiffies;
++ unsigned long entropy = random_get_entropy();
+ struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness);
+ struct pt_regs *regs = get_irq_regs();
+ unsigned int new_count;
+- union {
+- u32 u32[4];
+- u64 u64[2];
+- unsigned long longs[16 / sizeof(long)];
+- } irq_data;
+-
+- if (cycles == 0)
+- cycles = get_reg(fast_pool, regs);
+-
+- if (sizeof(unsigned long) == 8) {
+- irq_data.u64[0] = cycles ^ rol64(now, 32) ^ irq;
+- irq_data.u64[1] = regs ? instruction_pointer(regs) : _RET_IP_;
+- } else {
+- irq_data.u32[0] = cycles ^ irq;
+- irq_data.u32[1] = now;
+- irq_data.u32[2] = regs ? instruction_pointer(regs) : _RET_IP_;
+- irq_data.u32[3] = get_reg(fast_pool, regs);
+- }
+
+- fast_mix(fast_pool->pool, irq_data.longs);
++ fast_mix(fast_pool->pool, (unsigned long[2]){
++ entropy,
++ (regs ? instruction_pointer(regs) : _RET_IP_) ^ swab(irq)
++ });
+ new_count = ++fast_pool->count;
+
+ if (new_count & MIX_INFLIGHT)
+ return;
+
+- if (new_count < 64 && (!time_after(now, fast_pool->last + HZ) ||
++ if (new_count < 64 && (!time_is_before_jiffies(fast_pool->last + HZ) ||
+ unlikely(crng_init == 0)))
+ return;
+
+@@ -1368,28 +1334,28 @@ static void entropy_timer(unsigned long
+ static void try_to_generate_entropy(void)
+ {
+ struct {
+- unsigned long cycles;
++ unsigned long entropy;
+ struct timer_list timer;
+ } stack;
+
+- stack.cycles = random_get_entropy();
++ stack.entropy = random_get_entropy();
+
+ /* Slow counter - or none. Don't even bother */
+- if (stack.cycles == random_get_entropy())
++ if (stack.entropy == random_get_entropy())
+ return;
+
+ __setup_timer_on_stack(&stack.timer, entropy_timer, 0, 0);
+ while (!crng_ready() && !signal_pending(current)) {
+ if (!timer_pending(&stack.timer))
+ mod_timer(&stack.timer, jiffies + 1);
+- mix_pool_bytes(&stack.cycles, sizeof(stack.cycles));
++ mix_pool_bytes(&stack.entropy, sizeof(stack.entropy));
+ schedule();
+- stack.cycles = random_get_entropy();
++ stack.entropy = random_get_entropy();
+ }
+
+ del_timer_sync(&stack.timer);
+ destroy_timer_on_stack(&stack.timer);
+- mix_pool_bytes(&stack.cycles, sizeof(stack.cycles));
++ mix_pool_bytes(&stack.entropy, sizeof(stack.entropy));
+ }
+
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 11 Feb 2022 12:19:49 +0100
+Subject: random: introduce drain_entropy() helper to declutter crng_reseed()
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 246c03dd899164d0186b6d685d6387f228c28d93 upstream.
+
+In preparation for separating responsibilities, break out the entropy
+count management part of crng_reseed() into its own function.
+
+No functional changes.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 36 +++++++++++++++++++++++-------------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -260,6 +260,7 @@ static struct {
+ };
+
+ static void extract_entropy(void *buf, size_t nbytes);
++static bool drain_entropy(void *buf, size_t nbytes);
+
+ static void crng_reseed(void);
+
+@@ -454,23 +455,13 @@ static void crng_slow_load(const void *c
+ static void crng_reseed(void)
+ {
+ unsigned long flags;
+- int entropy_count;
+ unsigned long next_gen;
+ u8 key[CHACHA20_KEY_SIZE];
+ bool finalize_init = false;
+
+- /*
+- * First we make sure we have POOL_MIN_BITS of entropy in the pool,
+- * and then we drain all of it. Only then can we extract a new key.
+- */
+- do {
+- entropy_count = READ_ONCE(input_pool.entropy_count);
+- if (entropy_count < POOL_MIN_BITS)
+- return;
+- } while (cmpxchg(&input_pool.entropy_count, entropy_count, 0) != entropy_count);
+- extract_entropy(key, sizeof(key));
+- wake_up_interruptible(&random_write_wait);
+- kill_fasync(&fasync, SIGIO, POLL_OUT);
++ /* Only reseed if we can, to prevent brute forcing a small amount of new bits. */
++ if (!drain_entropy(key, sizeof(key)))
++ return;
+
+ /*
+ * We copy the new key into the base_crng, overwriting the old one,
+@@ -898,6 +889,25 @@ static void extract_entropy(void *buf, s
+ memzero_explicit(&block, sizeof(block));
+ }
+
++/*
++ * First we make sure we have POOL_MIN_BITS of entropy in the pool, and then we
++ * set the entropy count to zero (but don't actually touch any data). Only then
++ * can we extract a new key with extract_entropy().
++ */
++static bool drain_entropy(void *buf, size_t nbytes)
++{
++ unsigned int entropy_count;
++ do {
++ entropy_count = READ_ONCE(input_pool.entropy_count);
++ if (entropy_count < POOL_MIN_BITS)
++ return false;
++ } while (cmpxchg(&input_pool.entropy_count, entropy_count, 0) != entropy_count);
++ extract_entropy(buf, nbytes);
++ wake_up_interruptible(&random_write_wait);
++ kill_fasync(&fasync, SIGIO, POLL_OUT);
++ return true;
++}
++
+ #define warn_unseeded_randomness(previous) \
+ _warn_unseeded_randomness(__func__, (void *)_RET_IP_, (previous))
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 8 Mar 2022 11:20:17 -0700
+Subject: random: make consistent usage of crng_ready()
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit a96cfe2d427064325ecbf56df8816c6b871ec285 upstream.
+
+Rather than sometimes checking `crng_init < 2`, we should always use the
+crng_ready() macro, so that should we change anything later, it's
+consistent. Additionally, that macro already has a likely() around it,
+which means we don't need to open code our own likely() and unlikely()
+annotations.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 19 +++++++------------
+ 1 file changed, 7 insertions(+), 12 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -125,18 +125,13 @@ static void try_to_generate_entropy(void
+ */
+ int wait_for_random_bytes(void)
+ {
+- if (likely(crng_ready()))
+- return 0;
+-
+- do {
++ while (!crng_ready()) {
+ int ret;
+ ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ);
+ if (ret)
+ return ret > 0 ? 0 : ret;
+-
+ try_to_generate_entropy();
+- } while (!crng_ready());
+-
++ }
+ return 0;
+ }
+ EXPORT_SYMBOL(wait_for_random_bytes);
+@@ -291,7 +286,7 @@ static void crng_reseed(void)
+ ++next_gen;
+ WRITE_ONCE(base_crng.generation, next_gen);
+ WRITE_ONCE(base_crng.birth, jiffies);
+- if (crng_init < 2) {
++ if (!crng_ready()) {
+ crng_init = 2;
+ finalize_init = true;
+ }
+@@ -359,7 +354,7 @@ static void crng_make_state(u32 chacha_s
+ * ready, we do fast key erasure with the base_crng directly, because
+ * this is what crng_pre_init_inject() mutates during early init.
+ */
+- if (unlikely(!crng_ready())) {
++ if (!crng_ready()) {
+ bool ready;
+
+ spin_lock_irqsave(&base_crng.lock, flags);
+@@ -799,7 +794,7 @@ static void credit_entropy_bits(size_t n
+ entropy_count = min_t(unsigned int, POOL_BITS, orig + add);
+ } while (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig);
+
+- if (crng_init < 2 && entropy_count >= POOL_MIN_BITS)
++ if (!crng_ready() && entropy_count >= POOL_MIN_BITS)
+ crng_reseed();
+ }
+
+@@ -956,7 +951,7 @@ int __init rand_initialize(void)
+ extract_entropy(base_crng.key, sizeof(base_crng.key));
+ ++base_crng.generation;
+
+- if (arch_init && trust_cpu && crng_init < 2) {
++ if (arch_init && trust_cpu && !crng_ready()) {
+ crng_init = 2;
+ pr_notice("crng init done (trusting CPU's manufacturer)\n");
+ }
+@@ -1545,7 +1540,7 @@ static long random_ioctl(struct file *f,
+ case RNDRESEEDCRNG:
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+- if (crng_init < 2)
++ if (!crng_ready())
+ return -ENODATA;
+ crng_reseed();
+ return 0;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 27 Aug 2018 14:51:54 -0700
+Subject: random: make CPU trust a boot parameter
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 9b25436662d5fb4c66eb527ead53cab15f596ee0 upstream.
+
+Instead of forcing a distro or other system builder to choose
+at build time whether the CPU is trusted for CRNG seeding via
+CONFIG_RANDOM_TRUST_CPU, provide a boot-time parameter for end users to
+control the choice. The CONFIG will set the default state instead.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/kernel-parameters.txt | 6 ++++++
+ drivers/char/Kconfig | 4 ++--
+ drivers/char/random.c | 11 ++++++++---
+ 3 files changed, 16 insertions(+), 5 deletions(-)
+
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -3526,6 +3526,12 @@
+ ramdisk_size= [RAM] Sizes of RAM disks in kilobytes
+ See Documentation/blockdev/ramdisk.txt.
+
++ random.trust_cpu={on,off}
++ [KNL] Enable or disable trusting the use of the
++ CPU's random number generator (if available) to
++ fully seed the kernel's CRNG. Default is controlled
++ by CONFIG_RANDOM_TRUST_CPU.
++
+ ras=option[,option,...] [KNL] RAS-specific options
+
+ cec_disable [X86]
+--- a/drivers/char/Kconfig
++++ b/drivers/char/Kconfig
+@@ -602,5 +602,5 @@ config RANDOM_TRUST_CPU
+ that CPU manufacturer (perhaps with the insistence or mandate
+ of a Nation State's intelligence or law enforcement agencies)
+ has not installed a hidden back door to compromise the CPU's
+- random number generation facilities.
+-
++ random number generation facilities. This can also be configured
++ at boot with "random.trust_cpu=on/off".
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -779,6 +779,13 @@ static struct crng_state **crng_node_poo
+
+ static void invalidate_batched_entropy(void);
+
++static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
++static int __init parse_trust_cpu(char *arg)
++{
++ return kstrtobool(arg, &trust_cpu);
++}
++early_param("random.trust_cpu", parse_trust_cpu);
++
+ static void crng_initialize(struct crng_state *crng)
+ {
+ int i;
+@@ -799,12 +806,10 @@ static void crng_initialize(struct crng_
+ }
+ crng->state[i] ^= rv;
+ }
+-#ifdef CONFIG_RANDOM_TRUST_CPU
+- if (arch_init) {
++ if (trust_cpu && arch_init) {
+ crng_init = 2;
+ pr_notice("random: crng done (trusting CPU's manufacturer)\n");
+ }
+-#endif
+ crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+ }
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 4 Feb 2022 01:45:53 +0100
+Subject: random: make credit_entropy_bits() always safe
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit a49c010e61e1938be851f5e49ac219d49b704103 upstream.
+
+This is called from various hwgenerator drivers, so rather than having
+one "safe" version for userspace and one "unsafe" version for the
+kernel, just make everything safe; the checks are cheap and sensible to
+have anyway.
+
+Reported-by: Sultan Alsawaf <sultan@kerneltoast.com>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 29 +++++++++--------------------
+ 1 file changed, 9 insertions(+), 20 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -447,18 +447,15 @@ static void process_random_ready_list(vo
+ spin_unlock_irqrestore(&random_ready_list_lock, flags);
+ }
+
+-/*
+- * Credit (or debit) the entropy store with n bits of entropy.
+- * Use credit_entropy_bits_safe() if the value comes from userspace
+- * or otherwise should be checked for extreme values.
+- */
+ static void credit_entropy_bits(int nbits)
+ {
+ int entropy_count, orig;
+
+- if (!nbits)
++ if (nbits <= 0)
+ return;
+
++ nbits = min(nbits, POOL_BITS);
++
+ do {
+ orig = READ_ONCE(input_pool.entropy_count);
+ entropy_count = min(POOL_BITS, orig + nbits);
+@@ -470,18 +467,6 @@ static void credit_entropy_bits(int nbit
+ crng_reseed(&primary_crng, true);
+ }
+
+-static int credit_entropy_bits_safe(int nbits)
+-{
+- if (nbits < 0)
+- return -EINVAL;
+-
+- /* Cap the value to avoid overflows */
+- nbits = min(nbits, POOL_BITS);
+-
+- credit_entropy_bits(nbits);
+- return 0;
+-}
+-
+ /*********************************************************************
+ *
+ * CRNG using CHACHA20
+@@ -1525,7 +1510,10 @@ static long random_ioctl(struct file *f,
+ return -EPERM;
+ if (get_user(ent_count, p))
+ return -EFAULT;
+- return credit_entropy_bits_safe(ent_count);
++ if (ent_count < 0)
++ return -EINVAL;
++ credit_entropy_bits(ent_count);
++ return 0;
+ case RNDADDENTROPY:
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+@@ -1538,7 +1526,8 @@ static long random_ioctl(struct file *f,
+ retval = write_pool((const char __user *)p, size);
+ if (retval < 0)
+ return retval;
+- return credit_entropy_bits_safe(ent_count);
++ credit_entropy_bits(ent_count);
++ return 0;
+ case RNDZAPENTCNT:
+ case RNDCLEARPOOL:
+ /*
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 31 Jul 2018 21:11:00 +0200
+Subject: random: Make crng state queryable
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 9a47249d444d344051c7c0e909fad0e88515a5c2 upstream.
+
+It is very useful to be able to know whether or not get_random_bytes_wait
+/ wait_for_random_bytes is going to block or not, or whether plain
+get_random_bytes is going to return good randomness or bad randomness.
+
+The particular use case is for mitigating certain attacks in WireGuard.
+A handshake packet arrives and is queued up. Elsewhere a worker thread
+takes items from the queue and processes them. In replying to these
+items, it needs to use some random data, and it has to be good random
+data. If we simply block until we can have good randomness, then it's
+possible for an attacker to fill the queue up with packets waiting to be
+processed. Upon realizing the queue is full, WireGuard will detect that
+it's under a denial of service attack, and behave accordingly. A better
+approach is just to drop incoming handshake packets if the crng is not
+yet initialized.
+
+This patch, therefore, makes that information directly accessible.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 15 +++++++++++++++
+ include/linux/random.h | 1 +
+ 2 files changed, 16 insertions(+)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1669,6 +1669,21 @@ int wait_for_random_bytes(void)
+ EXPORT_SYMBOL(wait_for_random_bytes);
+
+ /*
++ * Returns whether or not the urandom pool has been seeded and thus guaranteed
++ * to supply cryptographically secure random numbers. This applies to: the
++ * /dev/urandom device, the get_random_bytes function, and the get_random_{u32,
++ * ,u64,int,long} family of functions.
++ *
++ * Returns: true if the urandom pool has been seeded.
++ * false if the urandom pool has not been seeded.
++ */
++bool rng_is_initialized(void)
++{
++ return crng_ready();
++}
++EXPORT_SYMBOL(rng_is_initialized);
++
++/*
+ * Add a callback function that will be invoked when the nonblocking
+ * pool is initialised.
+ *
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -36,6 +36,7 @@ extern void add_interrupt_randomness(int
+
+ extern void get_random_bytes(void *buf, int nbytes);
+ extern int wait_for_random_bytes(void);
++extern bool rng_is_initialized(void);
+ extern int add_random_ready_callback(struct random_ready_callback *rdy);
+ extern void del_random_ready_callback(struct random_ready_callback *rdy);
+ extern int __must_check get_random_bytes_arch(void *buf, int nbytes);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Andy Lutomirski <luto@kernel.org>
+Date: Mon, 23 Dec 2019 00:20:48 -0800
+Subject: random: make /dev/random be almost like /dev/urandom
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 30c08efec8884fb106b8e57094baa51bb4c44e32 upstream.
+
+This patch changes the read semantics of /dev/random to be the same
+as /dev/urandom except that reads will block until the CRNG is
+ready.
+
+None of the cleanups that this enables have been done yet. As a
+result, this gives a warning about an unused function.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Link: https://lore.kernel.org/r/5e6ac8831c6cf2e56a7a4b39616d1732b2bdd06c.1577088521.git.luto@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 54 ++++++++++++--------------------------------------
+ 1 file changed, 13 insertions(+), 41 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -354,7 +354,6 @@
+ #define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5))
+ #define OUTPUT_POOL_SHIFT 10
+ #define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5))
+-#define SEC_XFER_SIZE 512
+ #define EXTRACT_SIZE 10
+
+
+@@ -804,7 +803,6 @@ retry:
+ if (entropy_bits >= random_read_wakeup_bits &&
+ wq_has_sleeper(&random_read_wait)) {
+ wake_up_interruptible(&random_read_wait);
+- kill_fasync(&fasync, SIGIO, POLL_IN);
+ }
+ /* If the input pool is getting full, and the blocking
+ * pool has room, send some entropy to the blocking
+@@ -1925,43 +1923,6 @@ void rand_initialize_disk(struct gendisk
+ #endif
+
+ static ssize_t
+-_random_read(int nonblock, char __user *buf, size_t nbytes)
+-{
+- ssize_t n;
+-
+- if (nbytes == 0)
+- return 0;
+-
+- nbytes = min_t(size_t, nbytes, SEC_XFER_SIZE);
+- while (1) {
+- n = extract_entropy_user(&blocking_pool, buf, nbytes);
+- if (n < 0)
+- return n;
+- trace_random_read(n*8, (nbytes-n)*8,
+- ENTROPY_BITS(&blocking_pool),
+- ENTROPY_BITS(&input_pool));
+- if (n > 0)
+- return n;
+-
+- /* Pool is (near) empty. Maybe wait and retry. */
+- if (nonblock)
+- return -EAGAIN;
+-
+- wait_event_interruptible(random_read_wait,
+- blocking_pool.initialized &&
+- (ENTROPY_BITS(&input_pool) >= random_read_wakeup_bits));
+- if (signal_pending(current))
+- return -ERESTARTSYS;
+- }
+-}
+-
+-static ssize_t
+-random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
+-{
+- return _random_read(file->f_flags & O_NONBLOCK, buf, nbytes);
+-}
+-
+-static ssize_t
+ urandom_read_nowarn(struct file *file, char __user *buf, size_t nbytes,
+ loff_t *ppos)
+ {
+@@ -1993,15 +1954,26 @@ urandom_read(struct file *file, char __u
+ return urandom_read_nowarn(file, buf, nbytes, ppos);
+ }
+
++static ssize_t
++random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
++{
++ int ret;
++
++ ret = wait_for_random_bytes();
++ if (ret != 0)
++ return ret;
++ return urandom_read_nowarn(file, buf, nbytes, ppos);
++}
++
+ static unsigned int
+ random_poll(struct file *file, poll_table * wait)
+ {
+ unsigned int mask;
+
+- poll_wait(file, &random_read_wait, wait);
++ poll_wait(file, &crng_init_wait, wait);
+ poll_wait(file, &random_write_wait, wait);
+ mask = 0;
+- if (ENTROPY_BITS(&input_pool) >= random_read_wakeup_bits)
++ if (crng_ready())
+ mask |= POLLIN | POLLRDNORM;
+ if (ENTROPY_BITS(&input_pool) < random_write_wakeup_bits)
+ mask |= POLLOUT | POLLWRNORM;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 8 Apr 2022 18:14:57 +0200
+Subject: random: make random_get_entropy() return an unsigned long
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit b0c3e796f24b588b862b61ce235d3c9417dc8983 upstream.
+
+Some implementations were returning type `unsigned long`, while others
+that fell back to get_cycles() were implicitly returning a `cycles_t` or
+an untyped constant int literal. That makes for weird and confusing
+code, and basically all code in the kernel already handled it like it
+was an `unsigned long`. I recently tried to handle it as the largest
+type it could be, a `cycles_t`, but doing so doesn't really help with
+much.
+
+Instead let's just make random_get_entropy() return an unsigned long all
+the time. This also matches the commonly used `arch_get_random_long()`
+function, so now RDRAND and RDTSC return the same sized integer, which
+means one can fallback to the other more gracefully.
+
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 20 +++++++-------------
+ include/linux/timex.h | 2 +-
+ 2 files changed, 8 insertions(+), 14 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1010,7 +1010,7 @@ int __init rand_initialize(void)
+ */
+ void add_device_randomness(const void *buf, size_t size)
+ {
+- cycles_t cycles = random_get_entropy();
++ unsigned long cycles = random_get_entropy();
+ unsigned long flags, now = jiffies;
+
+ if (crng_init == 0 && size)
+@@ -1041,8 +1041,7 @@ struct timer_rand_state {
+ */
+ static void add_timer_randomness(struct timer_rand_state *state, unsigned int num)
+ {
+- cycles_t cycles = random_get_entropy();
+- unsigned long flags, now = jiffies;
++ unsigned long cycles = random_get_entropy(), now = jiffies, flags;
+ long delta, delta2, delta3;
+
+ spin_lock_irqsave(&input_pool.lock, flags);
+@@ -1297,8 +1296,7 @@ static void mix_interrupt_randomness(str
+ void add_interrupt_randomness(int irq)
+ {
+ enum { MIX_INFLIGHT = 1U << 31 };
+- cycles_t cycles = random_get_entropy();
+- unsigned long now = jiffies;
++ unsigned long cycles = random_get_entropy(), now = jiffies;
+ struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness);
+ struct pt_regs *regs = get_irq_regs();
+ unsigned int new_count;
+@@ -1311,16 +1309,12 @@ void add_interrupt_randomness(int irq)
+ if (cycles == 0)
+ cycles = get_reg(fast_pool, regs);
+
+- if (sizeof(cycles) == 8)
++ if (sizeof(unsigned long) == 8) {
+ irq_data.u64[0] = cycles ^ rol64(now, 32) ^ irq;
+- else {
++ irq_data.u64[1] = regs ? instruction_pointer(regs) : _RET_IP_;
++ } else {
+ irq_data.u32[0] = cycles ^ irq;
+ irq_data.u32[1] = now;
+- }
+-
+- if (sizeof(unsigned long) == 8)
+- irq_data.u64[1] = regs ? instruction_pointer(regs) : _RET_IP_;
+- else {
+ irq_data.u32[2] = regs ? instruction_pointer(regs) : _RET_IP_;
+ irq_data.u32[3] = get_reg(fast_pool, regs);
+ }
+@@ -1367,7 +1361,7 @@ static void entropy_timer(unsigned long
+ static void try_to_generate_entropy(void)
+ {
+ struct {
+- cycles_t cycles;
++ unsigned long cycles;
+ struct timer_list timer;
+ } stack;
+
+--- a/include/linux/timex.h
++++ b/include/linux/timex.h
+@@ -75,7 +75,7 @@
+ * By default we use get_cycles() for this purpose, but individual
+ * architectures may override this in their asm/timex.h header file.
+ */
+-#define random_get_entropy() get_cycles()
++#define random_get_entropy() ((unsigned long)get_cycles())
+ #endif
+
+ /*
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 7 Jun 2022 17:00:16 +0200
+Subject: random: mark bootloader randomness code as __init
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 39e0f991a62ed5efabd20711a7b6e7da92603170 upstream.
+
+add_bootloader_randomness() and the variables it touches are only used
+during __init and not after, so mark these as __init. At the same time,
+unexport this, since it's only called by other __init code that's
+built-in.
+
+Cc: stable@vger.kernel.org
+Fixes: 428826f5358c ("fdt: add support for rng-seed")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 7 +++----
+ include/linux/random.h | 2 +-
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -785,8 +785,8 @@ static void __cold _credit_init_bits(siz
+ *
+ **********************************************************************/
+
+-static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
+-static bool trust_bootloader __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER);
++static bool trust_cpu __initdata = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
++static bool trust_bootloader __initdata = IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER);
+ static int __init parse_trust_cpu(char *arg)
+ {
+ return kstrtobool(arg, &trust_cpu);
+@@ -882,13 +882,12 @@ EXPORT_SYMBOL_GPL(add_hwgenerator_random
+ * Handle random seed passed by bootloader, and credit it if
+ * CONFIG_RANDOM_TRUST_BOOTLOADER is set.
+ */
+-void __cold add_bootloader_randomness(const void *buf, size_t len)
++void __init add_bootloader_randomness(const void *buf, size_t len)
+ {
+ mix_pool_bytes(buf, len);
+ if (trust_bootloader)
+ credit_init_bits(len * 8);
+ }
+-EXPORT_SYMBOL_GPL(add_bootloader_randomness);
+
+ struct fast_pool {
+ struct work_struct mix;
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -13,7 +13,7 @@
+ struct notifier_block;
+
+ void add_device_randomness(const void *buf, size_t len);
+-void add_bootloader_randomness(const void *buf, size_t len);
++void __init add_bootloader_randomness(const void *buf, size_t len);
+ void add_input_randomness(unsigned int type, unsigned int code,
+ unsigned int value) __latent_entropy;
+ void add_interrupt_randomness(int irq) __latent_entropy;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 29 Dec 2021 22:10:06 +0100
+Subject: random: mix bootloader randomness into pool
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 57826feeedb63b091f807ba8325d736775d39afd upstream.
+
+If we're trusting bootloader randomness, crng_fast_load() is called by
+add_hwgenerator_randomness(), which sets us to crng_init==1. However,
+usually it is only called once for an initial 64-byte push, so bootloader
+entropy will not mix any bytes into the input pool. So it's conceivable
+that crng_init==1 when crng_initialize_primary() is called later, but
+then the input pool is empty. When that happens, the crng state key will
+be overwritten with extracted output from the empty input pool. That's
+bad.
+
+In contrast, if we're not trusting bootloader randomness, we call
+crng_slow_load() *and* we call mix_pool_bytes(), so that later
+crng_initialize_primary() isn't drawing on nothing.
+
+In order to prevent crng_initialize_primary() from extracting an empty
+pool, have the trusted bootloader case mirror that of the untrusted
+bootloader case, mixing the input into the pool.
+
+[linux@dominikbrodowski.net: rewrite commit message]
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -2234,8 +2234,12 @@ void add_hwgenerator_randomness(const ch
+ struct entropy_store *poolp = &input_pool;
+
+ if (unlikely(crng_init == 0)) {
+- crng_fast_load(buffer, count);
+- return;
++ size_t ret = crng_fast_load(buffer, count);
++ mix_pool_bytes(poolp, buffer, ret);
++ count -= ret;
++ buffer += ret;
++ if (!count || crng_init == 0)
++ return;
+ }
+
+ /* Suspend writing if we're above the trickle threshold.
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 31 Mar 2022 11:01:01 -0400
+Subject: random: mix build-time latent entropy into pool at init
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 1754abb3e7583c570666fa1e1ee5b317e88c89a0 upstream.
+
+Prior, the "input_pool_data" array needed no real initialization, and so
+it was easy to mark it with __latent_entropy to populate it during
+compile-time. In switching to using a hash function, this required us to
+specifically initialize it to some specific state, which means we
+dropped the __latent_entropy attribute. An unfortunate side effect was
+this meant the pool was no longer seeded using compile-time random data.
+In order to bring this back, we declare an array in rand_initialize()
+with __latent_entropy and call mix_pool_bytes() on that at init, which
+accomplishes the same thing as before. We make this __initconst, so that
+it doesn't take up space at runtime after init.
+
+Fixes: 6e8ec2552c7d ("random: use computational hash for entropy extraction")
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -967,6 +967,11 @@ int __init rand_initialize(void)
+ bool arch_init = true;
+ unsigned long rv;
+
++#if defined(LATENT_ENTROPY_PLUGIN)
++ static const u8 compiletime_seed[BLAKE2S_BLOCK_SIZE] __initconst __latent_entropy;
++ _mix_pool_bytes(compiletime_seed, sizeof(compiletime_seed));
++#endif
++
+ for (i = 0; i < BLAKE2S_BLOCK_SIZE; i += sizeof(rv)) {
+ if (!arch_get_random_seed_long_early(&rv) &&
+ !arch_get_random_long_early(&rv)) {
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 13 May 2022 16:17:12 +0200
+Subject: random: move initialization functions out of hot pages
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 560181c27b582557d633ecb608110075433383af upstream.
+
+Much of random.c is devoted to initializing the rng and accounting for
+when a sufficient amount of entropy has been added. In a perfect world,
+this would all happen during init, and so we could mark these functions
+as __init. But in reality, this isn't the case: sometimes the rng only
+finishes initializing some seconds after system init is finished.
+
+For this reason, at the moment, a whole host of functions that are only
+used relatively close to system init and then never again are intermixed
+with functions that are used in hot code all the time. This creates more
+cache misses than necessary.
+
+In order to pack the hot code closer together, this commit moves the
+initialization functions that can't be marked as __init into
+.text.unlikely by way of the __cold attribute.
+
+Of particular note is moving credit_init_bits() into a macro wrapper
+that inlines the crng_ready() static branch check. This avoids a
+function call to a nop+ret, and most notably prevents extra entropy
+arithmetic from being computed in mix_interrupt_randomness().
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+[ Jason: for stable, made sure the printk_deferred was a pr_notice,
+ because those caused problems on ≤ 4.19 according to commit logs. ]
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 40 ++++++++++++++++++----------------------
+ 1 file changed, 18 insertions(+), 22 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -109,7 +109,7 @@ bool rng_is_initialized(void)
+ }
+ EXPORT_SYMBOL(rng_is_initialized);
+
+-static void crng_set_ready(struct work_struct *work)
++static void __cold crng_set_ready(struct work_struct *work)
+ {
+ static_branch_enable(&crng_is_ready);
+ }
+@@ -148,7 +148,7 @@ EXPORT_SYMBOL(wait_for_random_bytes);
+ * returns: 0 if callback is successfully added
+ * -EALREADY if pool is already initialised (callback not called)
+ */
+-int register_random_ready_notifier(struct notifier_block *nb)
++int __cold register_random_ready_notifier(struct notifier_block *nb)
+ {
+ unsigned long flags;
+ int ret = -EALREADY;
+@@ -167,7 +167,7 @@ EXPORT_SYMBOL(register_random_ready_noti
+ /*
+ * Delete a previously registered readiness callback function.
+ */
+-int unregister_random_ready_notifier(struct notifier_block *nb)
++int __cold unregister_random_ready_notifier(struct notifier_block *nb)
+ {
+ unsigned long flags;
+ int ret;
+@@ -179,7 +179,7 @@ int unregister_random_ready_notifier(str
+ }
+ EXPORT_SYMBOL(unregister_random_ready_notifier);
+
+-static void process_random_ready_list(void)
++static void __cold process_random_ready_list(void)
+ {
+ unsigned long flags;
+
+@@ -189,15 +189,9 @@ static void process_random_ready_list(vo
+ }
+
+ #define warn_unseeded_randomness() \
+- _warn_unseeded_randomness(__func__, (void *)_RET_IP_)
+-
+-static void _warn_unseeded_randomness(const char *func_name, void *caller)
+-{
+- if (!IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM) || crng_ready())
+- return;
+- printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n",
+- func_name, caller, crng_init);
+-}
++ if (IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM) && !crng_ready()) \
++ pr_notice("%s called from %pS with crng_init=%d\n", \
++ __func__, (void *)_RET_IP_, crng_init)
+
+
+ /*********************************************************************
+@@ -611,7 +605,7 @@ EXPORT_SYMBOL(get_random_u32);
+ * This function is called when the CPU is coming up, with entry
+ * CPUHP_RANDOM_PREPARE, which comes before CPUHP_WORKQUEUE_PREP.
+ */
+-int random_prepare_cpu(unsigned int cpu)
++int __cold random_prepare_cpu(unsigned int cpu)
+ {
+ /*
+ * When the cpu comes back online, immediately invalidate both
+@@ -786,13 +780,15 @@ static void extract_entropy(void *buf, s
+ memzero_explicit(&block, sizeof(block));
+ }
+
+-static void credit_init_bits(size_t bits)
++#define credit_init_bits(bits) if (!crng_ready()) _credit_init_bits(bits)
++
++static void __cold _credit_init_bits(size_t bits)
+ {
+ static struct execute_work set_ready;
+ unsigned int new, orig, add;
+ unsigned long flags;
+
+- if (crng_ready() || !bits)
++ if (!bits)
+ return;
+
+ add = min_t(size_t, bits, POOL_BITS);
+@@ -971,7 +967,7 @@ EXPORT_SYMBOL_GPL(add_hwgenerator_random
+ * Handle random seed passed by bootloader, and credit it if
+ * CONFIG_RANDOM_TRUST_BOOTLOADER is set.
+ */
+-void add_bootloader_randomness(const void *buf, size_t len)
++void __cold add_bootloader_randomness(const void *buf, size_t len)
+ {
+ mix_pool_bytes(buf, len);
+ if (trust_bootloader)
+@@ -1017,7 +1013,7 @@ static void fast_mix(unsigned long s[4],
+ * This function is called when the CPU has just come online, with
+ * entry CPUHP_AP_RANDOM_ONLINE, just after CPUHP_AP_WORKQUEUE_ONLINE.
+ */
+-int random_online_cpu(unsigned int cpu)
++int __cold random_online_cpu(unsigned int cpu)
+ {
+ /*
+ * During CPU shutdown and before CPU onlining, add_interrupt_
+@@ -1172,7 +1168,7 @@ static void add_timer_randomness(struct
+ if (in_irq())
+ this_cpu_ptr(&irq_randomness)->count += max(1u, bits * 64) - 1;
+ else
+- credit_init_bits(bits);
++ _credit_init_bits(bits);
+ }
+
+ void add_input_randomness(unsigned int type, unsigned int code, unsigned int value)
+@@ -1200,7 +1196,7 @@ void add_disk_randomness(struct gendisk
+ }
+ EXPORT_SYMBOL_GPL(add_disk_randomness);
+
+-void rand_initialize_disk(struct gendisk *disk)
++void __cold rand_initialize_disk(struct gendisk *disk)
+ {
+ struct timer_rand_state *state;
+
+@@ -1229,7 +1225,7 @@ void rand_initialize_disk(struct gendisk
+ *
+ * So the re-arming always happens in the entropy loop itself.
+ */
+-static void entropy_timer(unsigned long data)
++static void __cold entropy_timer(unsigned long data)
+ {
+ credit_init_bits(1);
+ }
+@@ -1238,7 +1234,7 @@ static void entropy_timer(unsigned long
+ * If we have an actual cycle counter, see if we can
+ * generate enough entropy with timing noise
+ */
+-static void try_to_generate_entropy(void)
++static void __cold try_to_generate_entropy(void)
+ {
+ struct {
+ unsigned long entropy;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 19 Apr 2019 23:27:05 -0400
+Subject: random: move rand_initialize() earlier
+
+From: Kees Cook <keescook@chromium.org>
+
+commit d55535232c3dbde9a523a9d10d68670f5fe5dec3 upstream.
+
+Right now rand_initialize() is run as an early_initcall(), but it only
+depends on timekeeping_init() (for mixing ktime_get_real() into the
+pools). However, the call to boot_init_stack_canary() for stack canary
+initialization runs earlier, which triggers a warning at boot:
+
+random: get_random_bytes called from start_kernel+0x357/0x548 with crng_init=0
+
+Instead, this moves rand_initialize() to after timekeeping_init(), and moves
+canary initialization here as well.
+
+Note that this warning may still remain for machines that do not have
+UEFI RNG support (which initializes the RNG pools during setup_arch()),
+or for x86 machines without RDRAND (or booting without "random.trust=on"
+or CONFIG_RANDOM_TRUST_CPU=y).
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 5 ++---
+ include/linux/random.h | 1 +
+ init/main.c | 21 ++++++++++++++-------
+ 3 files changed, 17 insertions(+), 10 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1789,7 +1789,7 @@ EXPORT_SYMBOL(get_random_bytes_arch);
+ * data into the pool to prepare it for use. The pool is not cleared
+ * as that can only decrease the entropy in the pool.
+ */
+-static void init_std_data(struct entropy_store *r)
++static void __init init_std_data(struct entropy_store *r)
+ {
+ int i;
+ ktime_t now = ktime_get_real();
+@@ -1816,7 +1816,7 @@ static void init_std_data(struct entropy
+ * take care not to overwrite the precious per platform data
+ * we were given.
+ */
+-static int rand_initialize(void)
++int __init rand_initialize(void)
+ {
+ init_std_data(&input_pool);
+ init_std_data(&blocking_pool);
+@@ -1828,7 +1828,6 @@ static int rand_initialize(void)
+ }
+ return 0;
+ }
+-early_initcall(rand_initialize);
+
+ #ifdef CONFIG_BLOCK
+ void rand_initialize_disk(struct gendisk *disk)
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -36,6 +36,7 @@ extern void add_interrupt_randomness(int
+
+ extern void get_random_bytes(void *buf, int nbytes);
+ extern int wait_for_random_bytes(void);
++extern int __init rand_initialize(void);
+ extern bool rng_is_initialized(void);
+ extern int add_random_ready_callback(struct random_ready_callback *rdy);
+ extern void del_random_ready_callback(struct random_ready_callback *rdy);
+--- a/init/main.c
++++ b/init/main.c
+@@ -531,13 +531,6 @@ asmlinkage __visible void __init start_k
+ page_address_init();
+ pr_notice("%s", linux_banner);
+ setup_arch(&command_line);
+- /*
+- * Set up the the initial canary and entropy after arch
+- * and after adding latent and command line entropy.
+- */
+- add_latent_entropy();
+- add_device_randomness(command_line, strlen(command_line));
+- boot_init_stack_canary();
+ mm_init_cpumask(&init_mm);
+ setup_command_line(command_line);
+ setup_nr_cpu_ids();
+@@ -614,6 +607,20 @@ asmlinkage __visible void __init start_k
+ hrtimers_init();
+ softirq_init();
+ timekeeping_init();
++
++ /*
++ * For best initial stack canary entropy, prepare it after:
++ * - setup_arch() for any UEFI RNG entropy and boot cmdline access
++ * - timekeeping_init() for ktime entropy used in rand_initialize()
++ * - rand_initialize() to get any arch-specific entropy like RDRAND
++ * - add_latent_entropy() to get any latent entropy
++ * - adding command line entropy
++ */
++ rand_initialize();
++ add_latent_entropy();
++ add_device_randomness(command_line, strlen(command_line));
++ boot_init_stack_canary();
++
+ time_init();
+ sched_clock_postinit();
+ printk_safe_init();
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 14 May 2022 13:59:30 +0200
+Subject: random: move randomize_page() into mm where it belongs
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 5ad7dd882e45d7fe432c32e896e2aaa0b21746ea upstream.
+
+randomize_page is an mm function. It is documented like one. It contains
+the history of one. It has the naming convention of one. It looks
+just like another very similar function in mm, randomize_stack_top().
+And it has always been maintained and updated by mm people. There is no
+need for it to be in random.c. In the "which shape does not look like
+the other ones" test, pointing to randomize_page() is correct.
+
+So move randomize_page() into mm/util.c, right next to the similar
+randomize_stack_top() function.
+
+This commit contains no actual code changes.
+
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 238 ++++++++++++++++---------------------------------
+ include/linux/mm.h | 2
+ include/linux/random.h | 2
+ mm/util.c | 33 ++++++
+ 4 files changed, 117 insertions(+), 158 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -52,6 +52,7 @@
+ #include <linux/uuid.h>
+ #include <linux/uaccess.h>
+ #include <linux/siphash.h>
++#include <linux/uio.h>
+ #include <crypto/chacha20.h>
+ #include <crypto/blake2s.h>
+ #include <asm/processor.h>
+@@ -446,13 +447,13 @@ void get_random_bytes(void *buf, size_t
+ }
+ EXPORT_SYMBOL(get_random_bytes);
+
+-static ssize_t get_random_bytes_user(void __user *ubuf, size_t len)
++static ssize_t get_random_bytes_user(struct iov_iter *iter)
+ {
+- size_t block_len, left, ret = 0;
+ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)];
+- u8 output[CHACHA20_BLOCK_SIZE];
++ u8 block[CHACHA20_BLOCK_SIZE];
++ size_t ret = 0, copied;
+
+- if (!len)
++ if (unlikely(!iov_iter_count(iter)))
+ return 0;
+
+ /*
+@@ -466,30 +467,22 @@ static ssize_t get_random_bytes_user(voi
+ * use chacha_state after, so we can simply return those bytes to
+ * the user directly.
+ */
+- if (len <= CHACHA20_KEY_SIZE) {
+- ret = len - copy_to_user(ubuf, &chacha_state[4], len);
++ if (iov_iter_count(iter) <= CHACHA20_KEY_SIZE) {
++ ret = copy_to_iter(&chacha_state[4], CHACHA20_KEY_SIZE, iter);
+ goto out_zero_chacha;
+ }
+
+ for (;;) {
+- chacha20_block(chacha_state, output);
++ chacha20_block(chacha_state, block);
+ if (unlikely(chacha_state[12] == 0))
+ ++chacha_state[13];
+
+- block_len = min_t(size_t, len, CHACHA20_BLOCK_SIZE);
+- left = copy_to_user(ubuf, output, block_len);
+- if (left) {
+- ret += block_len - left;
++ copied = copy_to_iter(block, sizeof(block), iter);
++ ret += copied;
++ if (!iov_iter_count(iter) || copied != sizeof(block))
+ break;
+- }
+
+- ubuf += block_len;
+- ret += block_len;
+- len -= block_len;
+- if (!len)
+- break;
+-
+- BUILD_BUG_ON(PAGE_SIZE % CHACHA20_BLOCK_SIZE != 0);
++ BUILD_BUG_ON(PAGE_SIZE % sizeof(block) != 0);
+ if (ret % PAGE_SIZE == 0) {
+ if (signal_pending(current))
+ break;
+@@ -497,7 +490,7 @@ static ssize_t get_random_bytes_user(voi
+ }
+ }
+
+- memzero_explicit(output, sizeof(output));
++ memzero_explicit(block, sizeof(block));
+ out_zero_chacha:
+ memzero_explicit(chacha_state, sizeof(chacha_state));
+ return ret ? ret : -EFAULT;
+@@ -509,96 +502,60 @@ out_zero_chacha:
+ * provided by this function is okay, the function wait_for_random_bytes()
+ * should be called and return 0 at least once at any point prior.
+ */
+-struct batched_entropy {
+- union {
+- /*
+- * We make this 1.5x a ChaCha block, so that we get the
+- * remaining 32 bytes from fast key erasure, plus one full
+- * block from the detached ChaCha state. We can increase
+- * the size of this later if needed so long as we keep the
+- * formula of (integer_blocks + 0.5) * CHACHA20_BLOCK_SIZE.
+- */
+- u64 entropy_u64[CHACHA20_BLOCK_SIZE * 3 / (2 * sizeof(u64))];
+- u32 entropy_u32[CHACHA20_BLOCK_SIZE * 3 / (2 * sizeof(u32))];
+- };
+- unsigned long generation;
+- unsigned int position;
+-};
+-
+-
+-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = {
+- .position = UINT_MAX
+-};
+-
+-u64 get_random_u64(void)
+-{
+- u64 ret;
+- unsigned long flags;
+- struct batched_entropy *batch;
+- unsigned long next_gen;
+-
+- warn_unseeded_randomness();
+-
+- if (!crng_ready()) {
+- _get_random_bytes(&ret, sizeof(ret));
+- return ret;
+- }
+-
+- local_irq_save(flags);
+- batch = raw_cpu_ptr(&batched_entropy_u64);
+-
+- next_gen = READ_ONCE(base_crng.generation);
+- if (batch->position >= ARRAY_SIZE(batch->entropy_u64) ||
+- next_gen != batch->generation) {
+- _get_random_bytes(batch->entropy_u64, sizeof(batch->entropy_u64));
+- batch->position = 0;
+- batch->generation = next_gen;
+- }
+-
+- ret = batch->entropy_u64[batch->position];
+- batch->entropy_u64[batch->position] = 0;
+- ++batch->position;
+- local_irq_restore(flags);
+- return ret;
+-}
+-EXPORT_SYMBOL(get_random_u64);
+-
+-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = {
+- .position = UINT_MAX
+-};
+-
+-u32 get_random_u32(void)
+-{
+- u32 ret;
+- unsigned long flags;
+- struct batched_entropy *batch;
+- unsigned long next_gen;
+
+- warn_unseeded_randomness();
++#define DEFINE_BATCHED_ENTROPY(type) \
++struct batch_ ##type { \
++ /* \
++ * We make this 1.5x a ChaCha block, so that we get the \
++ * remaining 32 bytes from fast key erasure, plus one full \
++ * block from the detached ChaCha state. We can increase \
++ * the size of this later if needed so long as we keep the \
++ * formula of (integer_blocks + 0.5) * CHACHA20_BLOCK_SIZE. \
++ */ \
++ type entropy[CHACHA20_BLOCK_SIZE * 3 / (2 * sizeof(type))]; \
++ unsigned long generation; \
++ unsigned int position; \
++}; \
++ \
++static DEFINE_PER_CPU(struct batch_ ##type, batched_entropy_ ##type) = { \
++ .position = UINT_MAX \
++}; \
++ \
++type get_random_ ##type(void) \
++{ \
++ type ret; \
++ unsigned long flags; \
++ struct batch_ ##type *batch; \
++ unsigned long next_gen; \
++ \
++ warn_unseeded_randomness(); \
++ \
++ if (!crng_ready()) { \
++ _get_random_bytes(&ret, sizeof(ret)); \
++ return ret; \
++ } \
++ \
++ local_irq_save(flags); \
++ batch = raw_cpu_ptr(&batched_entropy_##type); \
++ \
++ next_gen = READ_ONCE(base_crng.generation); \
++ if (batch->position >= ARRAY_SIZE(batch->entropy) || \
++ next_gen != batch->generation) { \
++ _get_random_bytes(batch->entropy, sizeof(batch->entropy)); \
++ batch->position = 0; \
++ batch->generation = next_gen; \
++ } \
++ \
++ ret = batch->entropy[batch->position]; \
++ batch->entropy[batch->position] = 0; \
++ ++batch->position; \
++ local_irq_restore(flags); \
++ return ret; \
++} \
++EXPORT_SYMBOL(get_random_ ##type);
+
+- if (!crng_ready()) {
+- _get_random_bytes(&ret, sizeof(ret));
+- return ret;
+- }
+-
+- local_irq_save(flags);
+- batch = raw_cpu_ptr(&batched_entropy_u32);
+-
+- next_gen = READ_ONCE(base_crng.generation);
+- if (batch->position >= ARRAY_SIZE(batch->entropy_u32) ||
+- next_gen != batch->generation) {
+- _get_random_bytes(batch->entropy_u32, sizeof(batch->entropy_u32));
+- batch->position = 0;
+- batch->generation = next_gen;
+- }
+-
+- ret = batch->entropy_u32[batch->position];
+- batch->entropy_u32[batch->position] = 0;
+- ++batch->position;
+- local_irq_restore(flags);
+- return ret;
+-}
+-EXPORT_SYMBOL(get_random_u32);
++DEFINE_BATCHED_ENTROPY(u64)
++DEFINE_BATCHED_ENTROPY(u32)
+
+ #ifdef CONFIG_SMP
+ /*
+@@ -619,38 +576,6 @@ int __cold random_prepare_cpu(unsigned i
+ }
+ #endif
+
+-/**
+- * randomize_page - Generate a random, page aligned address
+- * @start: The smallest acceptable address the caller will take.
+- * @range: The size of the area, starting at @start, within which the
+- * random address must fall.
+- *
+- * If @start + @range would overflow, @range is capped.
+- *
+- * NOTE: Historical use of randomize_range, which this replaces, presumed that
+- * @start was already page aligned. We now align it regardless.
+- *
+- * Return: A page aligned address within [start, start + range). On error,
+- * @start is returned.
+- */
+-unsigned long randomize_page(unsigned long start, unsigned long range)
+-{
+- if (!PAGE_ALIGNED(start)) {
+- range -= PAGE_ALIGN(start) - start;
+- start = PAGE_ALIGN(start);
+- }
+-
+- if (start > ULONG_MAX - range)
+- range = ULONG_MAX - start;
+-
+- range >>= PAGE_SHIFT;
+-
+- if (range == 0)
+- return start;
+-
+- return start + (get_random_long() % range << PAGE_SHIFT);
+-}
+-
+ /*
+ * This function will use the architecture-specific hardware random
+ * number generator if it is available. It is not recommended for
+@@ -1292,6 +1217,10 @@ static void __cold try_to_generate_entro
+
+ SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags)
+ {
++ struct iov_iter iter;
++ struct iovec iov;
++ int ret;
++
+ if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE))
+ return -EINVAL;
+
+@@ -1302,19 +1231,18 @@ SYSCALL_DEFINE3(getrandom, char __user *
+ if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM))
+ return -EINVAL;
+
+- if (len > INT_MAX)
+- len = INT_MAX;
+-
+ if (!crng_ready() && !(flags & GRND_INSECURE)) {
+- int ret;
+-
+ if (flags & GRND_NONBLOCK)
+ return -EAGAIN;
+ ret = wait_for_random_bytes();
+ if (unlikely(ret))
+ return ret;
+ }
+- return get_random_bytes_user(ubuf, len);
++
++ ret = import_single_range(READ, ubuf, len, &iov, &iter);
++ if (unlikely(ret))
++ return ret;
++ return get_random_bytes_user(&iter);
+ }
+
+ static unsigned int random_poll(struct file *file, poll_table *wait)
+@@ -1358,8 +1286,7 @@ static ssize_t random_write(struct file
+ return (ssize_t)len;
+ }
+
+-static ssize_t urandom_read(struct file *file, char __user *ubuf,
+- size_t len, loff_t *ppos)
++static ssize_t urandom_read_iter(struct kiocb *kiocb, struct iov_iter *iter)
+ {
+ static int maxwarn = 10;
+
+@@ -1368,23 +1295,22 @@ static ssize_t urandom_read(struct file
+ ++urandom_warning.missed;
+ else if (ratelimit_disable || __ratelimit(&urandom_warning)) {
+ --maxwarn;
+- pr_notice("%s: uninitialized urandom read (%zd bytes read)\n",
+- current->comm, len);
++ pr_notice("%s: uninitialized urandom read (%zu bytes read)\n",
++ current->comm, iov_iter_count(iter));
+ }
+ }
+
+- return get_random_bytes_user(ubuf, len);
++ return get_random_bytes_user(iter);
+ }
+
+-static ssize_t random_read(struct file *file, char __user *ubuf,
+- size_t len, loff_t *ppos)
++static ssize_t random_read_iter(struct kiocb *kiocb, struct iov_iter *iter)
+ {
+ int ret;
+
+ ret = wait_for_random_bytes();
+ if (ret != 0)
+ return ret;
+- return get_random_bytes_user(ubuf, len);
++ return get_random_bytes_user(iter);
+ }
+
+ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
+@@ -1446,7 +1372,7 @@ static int random_fasync(int fd, struct
+ }
+
+ const struct file_operations random_fops = {
+- .read = random_read,
++ .read_iter = random_read_iter,
+ .write = random_write,
+ .poll = random_poll,
+ .unlocked_ioctl = random_ioctl,
+@@ -1455,7 +1381,7 @@ const struct file_operations random_fops
+ };
+
+ const struct file_operations urandom_fops = {
+- .read = urandom_read,
++ .read_iter = urandom_read_iter,
+ .write = random_write,
+ .unlocked_ioctl = random_ioctl,
+ .fasync = random_fasync,
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -2164,6 +2164,8 @@ extern int install_special_mapping(struc
+ unsigned long addr, unsigned long len,
+ unsigned long flags, struct page **pages);
+
++unsigned long randomize_page(unsigned long start, unsigned long range);
++
+ extern unsigned long get_unmapped_area(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
+
+ extern unsigned long mmap_region(struct file *file, unsigned long addr,
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -64,8 +64,6 @@ static inline unsigned long get_random_c
+ return get_random_long() & CANARY_MASK;
+ }
+
+-unsigned long randomize_page(unsigned long start, unsigned long range);
+-
+ int __init random_init(const char *command_line);
+ bool rng_is_initialized(void);
+ int wait_for_random_bytes(void);
+--- a/mm/util.c
++++ b/mm/util.c
+@@ -14,6 +14,7 @@
+ #include <linux/hugetlb.h>
+ #include <linux/vmalloc.h>
+ #include <linux/userfaultfd_k.h>
++#include <linux/random.h>
+
+ #include <asm/sections.h>
+ #include <linux/uaccess.h>
+@@ -264,6 +265,38 @@ int vma_is_stack_for_current(struct vm_a
+ return (vma->vm_start <= KSTK_ESP(t) && vma->vm_end >= KSTK_ESP(t));
+ }
+
++/**
++ * randomize_page - Generate a random, page aligned address
++ * @start: The smallest acceptable address the caller will take.
++ * @range: The size of the area, starting at @start, within which the
++ * random address must fall.
++ *
++ * If @start + @range would overflow, @range is capped.
++ *
++ * NOTE: Historical use of randomize_range, which this replaces, presumed that
++ * @start was already page aligned. We now align it regardless.
++ *
++ * Return: A page aligned address within [start, start + range). On error,
++ * @start is returned.
++ */
++unsigned long randomize_page(unsigned long start, unsigned long range)
++{
++ if (!PAGE_ALIGNED(start)) {
++ range -= PAGE_ALIGN(start) - start;
++ start = PAGE_ALIGN(start);
++ }
++
++ if (start > ULONG_MAX - range)
++ range = ULONG_MAX - start;
++
++ range >>= PAGE_SHIFT;
++
++ if (range == 0)
++ return start;
++
++ return start + (get_random_long() % range << PAGE_SHIFT);
++}
++
+ #if defined(CONFIG_MMU) && !defined(HAVE_ARCH_PICK_MMAP_LAYOUT)
+ void arch_pick_mmap_layout(struct mm_struct *mm)
+ {
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+Date: Sun, 30 Jan 2022 22:03:20 +0100
+Subject: random: only call crng_finalize_init() for primary_crng
+
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+
+commit 9d5505f1eebeca778074a0260ed077fd85f8792c upstream.
+
+crng_finalize_init() returns instantly if it is called for another pool
+than primary_crng. The test whether crng_finalize_init() is still required
+can be moved to the relevant caller in crng_reseed(), and
+crng_need_final_init can be reset to false if crng_finalize_init() is
+called with workqueues ready. Then, no previous callsite will call
+crng_finalize_init() unless it is needed, and we can get rid of the
+superfluous function parameter.
+
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -799,10 +799,8 @@ static void __init crng_initialize_prima
+ primary_crng.init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+ }
+
+-static void crng_finalize_init(struct crng_state *crng)
++static void crng_finalize_init(void)
+ {
+- if (crng != &primary_crng || crng_init >= 2)
+- return;
+ if (!system_wq) {
+ /* We can't call numa_crng_init until we have workqueues,
+ * so mark this for processing later. */
+@@ -813,6 +811,7 @@ static void crng_finalize_init(struct cr
+ invalidate_batched_entropy();
+ numa_crng_init();
+ crng_init = 2;
++ crng_need_final_init = false;
+ process_random_ready_list();
+ wake_up_interruptible(&crng_init_wait);
+ kill_fasync(&fasync, SIGIO, POLL_IN);
+@@ -979,7 +978,8 @@ static void crng_reseed(struct crng_stat
+ memzero_explicit(&buf, sizeof(buf));
+ WRITE_ONCE(crng->init_time, jiffies);
+ spin_unlock_irqrestore(&crng->lock, flags);
+- crng_finalize_init(crng);
++ if (crng == &primary_crng && crng_init < 2)
++ crng_finalize_init();
+ }
+
+ static void _extract_crng(struct crng_state *crng, u8 out[CHACHA20_BLOCK_SIZE])
+@@ -1696,7 +1696,7 @@ int __init rand_initialize(void)
+ {
+ init_std_data();
+ if (crng_need_final_init)
+- crng_finalize_init(&primary_crng);
++ crng_finalize_init();
+ crng_initialize_primary();
+ crng_global_init_time = jiffies;
+ if (ratelimit_disable) {
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 20 Feb 2019 16:06:38 -0500
+Subject: random: only read from /dev/random after its pool has received 128 bits
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit eb9d1bf079bb438d1a066d72337092935fc770f6 upstream.
+
+Immediately after boot, we allow reads from /dev/random before its
+entropy pool has been fully initialized. Fix this so that we don't
+allow this until the blocking pool has received 128 bits.
+
+We do this by repurposing the initialized flag in the entropy pool
+struct, and use the initialized flag in the blocking pool to indicate
+whether it is safe to pull from the blocking pool.
+
+To do this, we needed to rework when we decide to push entropy from the
+input pool to the blocking pool, since the initialized flag for the
+input pool was used for this purpose. To simplify things, we no
+longer use the initialized flag for that purpose, nor do we use the
+entropy_total field any more.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 44 +++++++++++++++++++++---------------------
+ include/trace/events/random.h | 13 ++++--------
+ 2 files changed, 27 insertions(+), 30 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -471,7 +471,6 @@ struct entropy_store {
+ unsigned short add_ptr;
+ unsigned short input_rotate;
+ int entropy_count;
+- int entropy_total;
+ unsigned int initialized:1;
+ unsigned int last_data_init:1;
+ __u8 last_data[EXTRACT_SIZE];
+@@ -644,7 +643,7 @@ static void process_random_ready_list(vo
+ */
+ static void credit_entropy_bits(struct entropy_store *r, int nbits)
+ {
+- int entropy_count, orig;
++ int entropy_count, orig, has_initialized = 0;
+ const int pool_size = r->poolinfo->poolfracbits;
+ int nfrac = nbits << ENTROPY_SHIFT;
+
+@@ -699,23 +698,25 @@ retry:
+ entropy_count = 0;
+ } else if (entropy_count > pool_size)
+ entropy_count = pool_size;
++ if ((r == &blocking_pool) && !r->initialized &&
++ (entropy_count >> ENTROPY_SHIFT) > 128)
++ has_initialized = 1;
+ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
+ goto retry;
+
+- r->entropy_total += nbits;
+- if (!r->initialized && r->entropy_total > 128) {
++ if (has_initialized)
+ r->initialized = 1;
+- r->entropy_total = 0;
+- }
+
+ trace_credit_entropy_bits(r->name, nbits,
+- entropy_count >> ENTROPY_SHIFT,
+- r->entropy_total, _RET_IP_);
++ entropy_count >> ENTROPY_SHIFT, _RET_IP_);
+
+ if (r == &input_pool) {
+ int entropy_bits = entropy_count >> ENTROPY_SHIFT;
++ struct entropy_store *other = &blocking_pool;
+
+- if (crng_init < 2 && entropy_bits >= 128) {
++ if (crng_init < 2) {
++ if (entropy_bits < 128)
++ return;
+ crng_reseed(&primary_crng, r);
+ entropy_bits = r->entropy_count >> ENTROPY_SHIFT;
+ }
+@@ -726,20 +727,14 @@ retry:
+ wake_up_interruptible(&random_read_wait);
+ kill_fasync(&fasync, SIGIO, POLL_IN);
+ }
+- /* If the input pool is getting full, send some
+- * entropy to the blocking pool until it is 75% full.
++ /* If the input pool is getting full, and the blocking
++ * pool has room, send some entropy to the blocking
++ * pool.
+ */
+- if (entropy_bits > random_write_wakeup_bits &&
+- r->initialized &&
+- r->entropy_total >= 2*random_read_wakeup_bits) {
+- struct entropy_store *other = &blocking_pool;
+-
+- if (other->entropy_count <=
+- 3 * other->poolinfo->poolfracbits / 4) {
+- schedule_work(&other->push_work);
+- r->entropy_total = 0;
+- }
+- }
++ if (!work_pending(&other->push_work) &&
++ (ENTROPY_BITS(r) > 6 * r->poolinfo->poolbytes) &&
++ (ENTROPY_BITS(other) <= 6 * other->poolinfo->poolbytes))
++ schedule_work(&other->push_work);
+ }
+ }
+
+@@ -1559,6 +1554,11 @@ static ssize_t extract_entropy_user(stru
+ int large_request = (nbytes > 256);
+
+ trace_extract_entropy_user(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_);
++ if (!r->initialized && r->pull) {
++ xfer_secondary_pool(r, ENTROPY_BITS(r->pull)/8);
++ if (!r->initialized)
++ return 0;
++ }
+ xfer_secondary_pool(r, nbytes);
+ nbytes = account(r, nbytes, 0, 0);
+
+--- a/include/trace/events/random.h
++++ b/include/trace/events/random.h
+@@ -62,15 +62,14 @@ DEFINE_EVENT(random__mix_pool_bytes, mix
+
+ TRACE_EVENT(credit_entropy_bits,
+ TP_PROTO(const char *pool_name, int bits, int entropy_count,
+- int entropy_total, unsigned long IP),
++ unsigned long IP),
+
+- TP_ARGS(pool_name, bits, entropy_count, entropy_total, IP),
++ TP_ARGS(pool_name, bits, entropy_count, IP),
+
+ TP_STRUCT__entry(
+ __field( const char *, pool_name )
+ __field( int, bits )
+ __field( int, entropy_count )
+- __field( int, entropy_total )
+ __field(unsigned long, IP )
+ ),
+
+@@ -78,14 +77,12 @@ TRACE_EVENT(credit_entropy_bits,
+ __entry->pool_name = pool_name;
+ __entry->bits = bits;
+ __entry->entropy_count = entropy_count;
+- __entry->entropy_total = entropy_total;
+ __entry->IP = IP;
+ ),
+
+- TP_printk("%s pool: bits %d entropy_count %d entropy_total %d "
+- "caller %pS", __entry->pool_name, __entry->bits,
+- __entry->entropy_count, __entry->entropy_total,
+- (void *)__entry->IP)
++ TP_printk("%s pool: bits %d entropy_count %d caller %pS",
++ __entry->pool_name, __entry->bits,
++ __entry->entropy_count, (void *)__entry->IP)
+ );
+
+ TRACE_EVENT(push_to_pool,
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 22 Feb 2022 14:01:57 +0100
+Subject: random: only wake up writers after zap if threshold was passed
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit a3f9e8910e1584d7725ef7d5ac870920d42d0bb4 upstream.
+
+The only time that we need to wake up /dev/random writers on
+RNDCLEARPOOL/RNDZAPPOOL is when we're changing from a value that is
+greater than or equal to POOL_MIN_BITS to zero, because if we're
+changing from below POOL_MIN_BITS to zero, the writers are already
+unblocked.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1577,7 +1577,7 @@ static long random_ioctl(struct file *f,
+ */
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+- if (xchg(&input_pool.entropy_count, 0)) {
++ if (xchg(&input_pool.entropy_count, 0) >= POOL_MIN_BITS) {
+ wake_up_interruptible(&random_write_wait);
+ kill_fasync(&fasync, SIGIO, POLL_OUT);
+ }
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Andi Kleen <ak@linux.intel.com>
+Date: Wed, 28 Feb 2018 13:43:28 -0800
+Subject: random: optimize add_interrupt_randomness
+
+From: Andi Kleen <ak@linux.intel.com>
+
+commit e8e8a2e47db6bb85bb0cb21e77b5c6aaedf864b4 upstream.
+
+add_interrupt_randomess always wakes up
+code blocking on /dev/random. This wake up is done
+unconditionally. Unfortunately this means all interrupts
+take the wait queue spinlock, which can be rather expensive
+on large systems processing lots of interrupts.
+
+We saw 1% cpu time spinning on this on a large macro workload
+running on a large system.
+
+I believe it's a recent regression (?)
+
+Always check if there is a waiter on the wait queue
+before waking up. This check can be done without
+taking a spinlock.
+
+1.06% 10460 [kernel.vmlinux] [k] native_queued_spin_lock_slowpath
+ |
+ ---native_queued_spin_lock_slowpath
+ |
+ --0.57%--_raw_spin_lock_irqsave
+ |
+ --0.56%--__wake_up_common_lock
+ credit_entropy_bits
+ add_interrupt_randomness
+ handle_irq_event_percpu
+ handle_irq_event
+ handle_edge_irq
+ handle_irq
+ do_IRQ
+ common_interrupt
+
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -721,7 +721,8 @@ retry:
+ }
+
+ /* should we wake readers? */
+- if (entropy_bits >= random_read_wakeup_bits) {
++ if (entropy_bits >= random_read_wakeup_bits &&
++ wq_has_sleeper(&random_read_wait)) {
+ wake_up_interruptible(&random_read_wait);
+ kill_fasync(&fasync, SIGIO, POLL_IN);
+ }
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 6 May 2022 18:27:38 +0200
+Subject: random: order timer entropy functions below interrupt functions
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit a4b5c26b79ffdfcfb816c198f2fc2b1e7b5b580f upstream.
+
+There are no code changes here; this is just a reordering of functions,
+so that in subsequent commits, the timer entropy functions can call into
+the interrupt ones.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 238 +++++++++++++++++++++++++-------------------------
+ 1 file changed, 119 insertions(+), 119 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -851,13 +851,13 @@ static void credit_init_bits(size_t nbit
+ * the above entropy accumulation routines:
+ *
+ * void add_device_randomness(const void *buf, size_t size);
+- * void add_input_randomness(unsigned int type, unsigned int code,
+- * unsigned int value);
+- * void add_disk_randomness(struct gendisk *disk);
+ * void add_hwgenerator_randomness(const void *buffer, size_t count,
+ * size_t entropy);
+ * void add_bootloader_randomness(const void *buf, size_t size);
+ * void add_interrupt_randomness(int irq);
++ * void add_input_randomness(unsigned int type, unsigned int code,
++ * unsigned int value);
++ * void add_disk_randomness(struct gendisk *disk);
+ *
+ * add_device_randomness() adds data to the input pool that
+ * is likely to differ between two devices (or possibly even per boot).
+@@ -867,19 +867,6 @@ static void credit_init_bits(size_t nbit
+ * that might otherwise be identical and have very little entropy
+ * available to them (particularly common in the embedded world).
+ *
+- * add_input_randomness() uses the input layer interrupt timing, as well
+- * as the event type information from the hardware.
+- *
+- * add_disk_randomness() uses what amounts to the seek time of block
+- * layer request events, on a per-disk_devt basis, as input to the
+- * entropy pool. Note that high-speed solid state drives with very low
+- * seek times do not make for good sources of entropy, as their seek
+- * times are usually fairly consistent.
+- *
+- * The above two routines try to estimate how many bits of entropy
+- * to credit. They do this by keeping track of the first and second
+- * order deltas of the event timings.
+- *
+ * add_hwgenerator_randomness() is for true hardware RNGs, and will credit
+ * entropy as specified by the caller. If the entropy pool is full it will
+ * block until more entropy is needed.
+@@ -893,6 +880,19 @@ static void credit_init_bits(size_t nbit
+ * as inputs, it feeds the input pool roughly once a second or after 64
+ * interrupts, crediting 1 bit of entropy for whichever comes first.
+ *
++ * add_input_randomness() uses the input layer interrupt timing, as well
++ * as the event type information from the hardware.
++ *
++ * add_disk_randomness() uses what amounts to the seek time of block
++ * layer request events, on a per-disk_devt basis, as input to the
++ * entropy pool. Note that high-speed solid state drives with very low
++ * seek times do not make for good sources of entropy, as their seek
++ * times are usually fairly consistent.
++ *
++ * The last two routines try to estimate how many bits of entropy
++ * to credit. They do this by keeping track of the first and second
++ * order deltas of the event timings.
++ *
+ **********************************************************************/
+
+ static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
+@@ -970,109 +970,6 @@ void add_device_randomness(const void *b
+ }
+ EXPORT_SYMBOL(add_device_randomness);
+
+-/* There is one of these per entropy source */
+-struct timer_rand_state {
+- unsigned long last_time;
+- long last_delta, last_delta2;
+-};
+-
+-/*
+- * This function adds entropy to the entropy "pool" by using timing
+- * delays. It uses the timer_rand_state structure to make an estimate
+- * of how many bits of entropy this call has added to the pool.
+- *
+- * The number "num" is also added to the pool - it should somehow describe
+- * the type of event which just happened. This is currently 0-255 for
+- * keyboard scan codes, and 256 upwards for interrupts.
+- */
+-static void add_timer_randomness(struct timer_rand_state *state, unsigned int num)
+-{
+- unsigned long entropy = random_get_entropy(), now = jiffies, flags;
+- long delta, delta2, delta3;
+-
+- spin_lock_irqsave(&input_pool.lock, flags);
+- _mix_pool_bytes(&entropy, sizeof(entropy));
+- _mix_pool_bytes(&num, sizeof(num));
+- spin_unlock_irqrestore(&input_pool.lock, flags);
+-
+- if (crng_ready())
+- return;
+-
+- /*
+- * Calculate number of bits of randomness we probably added.
+- * We take into account the first, second and third-order deltas
+- * in order to make our estimate.
+- */
+- delta = now - READ_ONCE(state->last_time);
+- WRITE_ONCE(state->last_time, now);
+-
+- delta2 = delta - state->last_delta;
+- state->last_delta = delta;
+-
+- delta3 = delta2 - state->last_delta2;
+- state->last_delta2 = delta2;
+-
+- if (delta < 0)
+- delta = -delta;
+- if (delta2 < 0)
+- delta2 = -delta2;
+- if (delta3 < 0)
+- delta3 = -delta3;
+- if (delta > delta2)
+- delta = delta2;
+- if (delta > delta3)
+- delta = delta3;
+-
+- /*
+- * delta is now minimum absolute delta.
+- * Round down by 1 bit on general principles,
+- * and limit entropy estimate to 12 bits.
+- */
+- credit_init_bits(min_t(unsigned int, fls(delta >> 1), 11));
+-}
+-
+-void add_input_randomness(unsigned int type, unsigned int code,
+- unsigned int value)
+-{
+- static unsigned char last_value;
+- static struct timer_rand_state input_timer_state = { INITIAL_JIFFIES };
+-
+- /* Ignore autorepeat and the like. */
+- if (value == last_value)
+- return;
+-
+- last_value = value;
+- add_timer_randomness(&input_timer_state,
+- (type << 4) ^ code ^ (code >> 4) ^ value);
+-}
+-EXPORT_SYMBOL_GPL(add_input_randomness);
+-
+-#ifdef CONFIG_BLOCK
+-void add_disk_randomness(struct gendisk *disk)
+-{
+- if (!disk || !disk->random)
+- return;
+- /* First major is 1, so we get >= 0x200 here. */
+- add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
+-}
+-EXPORT_SYMBOL_GPL(add_disk_randomness);
+-
+-void rand_initialize_disk(struct gendisk *disk)
+-{
+- struct timer_rand_state *state;
+-
+- /*
+- * If kzalloc returns null, we just won't use that entropy
+- * source.
+- */
+- state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL);
+- if (state) {
+- state->last_time = INITIAL_JIFFIES;
+- disk->random = state;
+- }
+-}
+-#endif
+-
+ /*
+ * Interface for in-kernel drivers of true hardware RNGs.
+ * Those devices may produce endless random bits and will be throttled
+@@ -1234,6 +1131,109 @@ void add_interrupt_randomness(int irq)
+ }
+ EXPORT_SYMBOL_GPL(add_interrupt_randomness);
+
++/* There is one of these per entropy source */
++struct timer_rand_state {
++ unsigned long last_time;
++ long last_delta, last_delta2;
++};
++
++/*
++ * This function adds entropy to the entropy "pool" by using timing
++ * delays. It uses the timer_rand_state structure to make an estimate
++ * of how many bits of entropy this call has added to the pool.
++ *
++ * The number "num" is also added to the pool - it should somehow describe
++ * the type of event which just happened. This is currently 0-255 for
++ * keyboard scan codes, and 256 upwards for interrupts.
++ */
++static void add_timer_randomness(struct timer_rand_state *state, unsigned int num)
++{
++ unsigned long entropy = random_get_entropy(), now = jiffies, flags;
++ long delta, delta2, delta3;
++
++ spin_lock_irqsave(&input_pool.lock, flags);
++ _mix_pool_bytes(&entropy, sizeof(entropy));
++ _mix_pool_bytes(&num, sizeof(num));
++ spin_unlock_irqrestore(&input_pool.lock, flags);
++
++ if (crng_ready())
++ return;
++
++ /*
++ * Calculate number of bits of randomness we probably added.
++ * We take into account the first, second and third-order deltas
++ * in order to make our estimate.
++ */
++ delta = now - READ_ONCE(state->last_time);
++ WRITE_ONCE(state->last_time, now);
++
++ delta2 = delta - READ_ONCE(state->last_delta);
++ WRITE_ONCE(state->last_delta, delta);
++
++ delta3 = delta2 - READ_ONCE(state->last_delta2);
++ WRITE_ONCE(state->last_delta2, delta2);
++
++ if (delta < 0)
++ delta = -delta;
++ if (delta2 < 0)
++ delta2 = -delta2;
++ if (delta3 < 0)
++ delta3 = -delta3;
++ if (delta > delta2)
++ delta = delta2;
++ if (delta > delta3)
++ delta = delta3;
++
++ /*
++ * delta is now minimum absolute delta.
++ * Round down by 1 bit on general principles,
++ * and limit entropy estimate to 12 bits.
++ */
++ credit_init_bits(min_t(unsigned int, fls(delta >> 1), 11));
++}
++
++void add_input_randomness(unsigned int type, unsigned int code,
++ unsigned int value)
++{
++ static unsigned char last_value;
++ static struct timer_rand_state input_timer_state = { INITIAL_JIFFIES };
++
++ /* Ignore autorepeat and the like. */
++ if (value == last_value)
++ return;
++
++ last_value = value;
++ add_timer_randomness(&input_timer_state,
++ (type << 4) ^ code ^ (code >> 4) ^ value);
++}
++EXPORT_SYMBOL_GPL(add_input_randomness);
++
++#ifdef CONFIG_BLOCK
++void add_disk_randomness(struct gendisk *disk)
++{
++ if (!disk || !disk->random)
++ return;
++ /* First major is 1, so we get >= 0x200 here. */
++ add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
++}
++EXPORT_SYMBOL_GPL(add_disk_randomness);
++
++void rand_initialize_disk(struct gendisk *disk)
++{
++ struct timer_rand_state *state;
++
++ /*
++ * If kzalloc returns null, we just won't use that entropy
++ * source.
++ */
++ state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL);
++ if (state) {
++ state->last_time = INITIAL_JIFFIES;
++ disk->random = state;
++ }
++}
++#endif
++
+ /*
+ * Each time the timer fires, we expect that we got an unpredictable
+ * jump in the cycle counter. Even if the timer is running on another
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 14 Jan 2022 16:48:35 +0100
+Subject: random: prepend remaining pool constants with POOL_
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit b3d51c1f542113342ddfbf6007e38a684b9dbec9 upstream.
+
+The other pool constants are prepended with POOL_, but not these last
+ones. Rename them. This will then let us move them into the enum in the
+following commit.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 40 ++++++++++++++++++++--------------------
+ 1 file changed, 20 insertions(+), 20 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -362,11 +362,11 @@
+ * To allow fractional bits to be tracked, the entropy_count field is
+ * denominated in units of 1/8th bits.
+ *
+- * 2*(ENTROPY_SHIFT + poolbitshift) must <= 31, or the multiply in
++ * 2*(POOL_ENTROPY_SHIFT + poolbitshift) must <= 31, or the multiply in
+ * credit_entropy_bits() needs to be 64 bits wide.
+ */
+-#define ENTROPY_SHIFT 3
+-#define ENTROPY_BITS() (input_pool.entropy_count >> ENTROPY_SHIFT)
++#define POOL_ENTROPY_SHIFT 3
++#define POOL_ENTROPY_BITS() (input_pool.entropy_count >> POOL_ENTROPY_SHIFT)
+
+ /*
+ * If the entropy count falls under this number of bits, then we
+@@ -426,7 +426,7 @@ enum poolinfo {
+ POOL_BYTES = POOL_WORDS * sizeof(u32),
+ POOL_BITS = POOL_BYTES * 8,
+ POOL_BITSHIFT = ilog2(POOL_WORDS) + 5,
+- POOL_FRACBITS = POOL_WORDS << (ENTROPY_SHIFT + 5),
++ POOL_FRACBITS = POOL_WORDS << (POOL_ENTROPY_SHIFT + 5),
+
+ /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */
+ POOL_TAP1 = 104,
+@@ -650,7 +650,7 @@ static void process_random_ready_list(vo
+ static void credit_entropy_bits(int nbits)
+ {
+ int entropy_count, entropy_bits, orig;
+- int nfrac = nbits << ENTROPY_SHIFT;
++ int nfrac = nbits << POOL_ENTROPY_SHIFT;
+
+ if (!nbits)
+ return;
+@@ -683,7 +683,7 @@ retry:
+ * turns no matter how large nbits is.
+ */
+ int pnfrac = nfrac;
+- const int s = POOL_BITSHIFT + ENTROPY_SHIFT + 2;
++ const int s = POOL_BITSHIFT + POOL_ENTROPY_SHIFT + 2;
+ /* The +2 corresponds to the /4 in the denominator */
+
+ do {
+@@ -704,9 +704,9 @@ retry:
+ if (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig)
+ goto retry;
+
+- trace_credit_entropy_bits(nbits, entropy_count >> ENTROPY_SHIFT, _RET_IP_);
++ trace_credit_entropy_bits(nbits, entropy_count >> POOL_ENTROPY_SHIFT, _RET_IP_);
+
+- entropy_bits = entropy_count >> ENTROPY_SHIFT;
++ entropy_bits = entropy_count >> POOL_ENTROPY_SHIFT;
+ if (crng_init < 2 && entropy_bits >= 128)
+ crng_reseed(&primary_crng, true);
+ }
+@@ -1186,7 +1186,7 @@ void add_input_randomness(unsigned int t
+ last_value = value;
+ add_timer_randomness(&input_timer_state,
+ (type << 4) ^ code ^ (code >> 4) ^ value);
+- trace_add_input_randomness(ENTROPY_BITS());
++ trace_add_input_randomness(POOL_ENTROPY_BITS());
+ }
+ EXPORT_SYMBOL_GPL(add_input_randomness);
+
+@@ -1285,7 +1285,7 @@ void add_disk_randomness(struct gendisk
+ return;
+ /* first major is 1, so we get >= 0x200 here */
+ add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
+- trace_add_disk_randomness(disk_devt(disk), ENTROPY_BITS());
++ trace_add_disk_randomness(disk_devt(disk), POOL_ENTROPY_BITS());
+ }
+ EXPORT_SYMBOL_GPL(add_disk_randomness);
+ #endif
+@@ -1312,7 +1312,7 @@ retry:
+ entropy_count = orig = READ_ONCE(input_pool.entropy_count);
+ ibytes = nbytes;
+ /* never pull more than available */
+- have_bytes = entropy_count >> (ENTROPY_SHIFT + 3);
++ have_bytes = entropy_count >> (POOL_ENTROPY_SHIFT + 3);
+
+ if (have_bytes < 0)
+ have_bytes = 0;
+@@ -1324,7 +1324,7 @@ retry:
+ pr_warn("negative entropy count: count %d\n", entropy_count);
+ entropy_count = 0;
+ }
+- nfrac = ibytes << (ENTROPY_SHIFT + 3);
++ nfrac = ibytes << (POOL_ENTROPY_SHIFT + 3);
+ if ((size_t) entropy_count > nfrac)
+ entropy_count -= nfrac;
+ else
+@@ -1334,7 +1334,7 @@ retry:
+ goto retry;
+
+ trace_debit_entropy(8 * ibytes);
+- if (ibytes && ENTROPY_BITS() < random_write_wakeup_bits) {
++ if (ibytes && POOL_ENTROPY_BITS() < random_write_wakeup_bits) {
+ wake_up_interruptible(&random_write_wait);
+ kill_fasync(&fasync, SIGIO, POLL_OUT);
+ }
+@@ -1422,7 +1422,7 @@ static ssize_t _extract_entropy(void *bu
+ */
+ static ssize_t extract_entropy(void *buf, size_t nbytes, int min)
+ {
+- trace_extract_entropy(nbytes, ENTROPY_BITS(), _RET_IP_);
++ trace_extract_entropy(nbytes, POOL_ENTROPY_BITS(), _RET_IP_);
+ nbytes = account(nbytes, min);
+ return _extract_entropy(buf, nbytes);
+ }
+@@ -1748,9 +1748,9 @@ urandom_read_nowarn(struct file *file, c
+ {
+ int ret;
+
+- nbytes = min_t(size_t, nbytes, INT_MAX >> (ENTROPY_SHIFT + 3));
++ nbytes = min_t(size_t, nbytes, INT_MAX >> (POOL_ENTROPY_SHIFT + 3));
+ ret = extract_crng_user(buf, nbytes);
+- trace_urandom_read(8 * nbytes, 0, ENTROPY_BITS());
++ trace_urandom_read(8 * nbytes, 0, POOL_ENTROPY_BITS());
+ return ret;
+ }
+
+@@ -1790,7 +1790,7 @@ random_poll(struct file *file, poll_tabl
+ mask = 0;
+ if (crng_ready())
+ mask |= POLLIN | POLLRDNORM;
+- if (ENTROPY_BITS() < random_write_wakeup_bits)
++ if (POOL_ENTROPY_BITS() < random_write_wakeup_bits)
+ mask |= POLLOUT | POLLWRNORM;
+ return mask;
+ }
+@@ -1846,7 +1846,7 @@ static long random_ioctl(struct file *f,
+ switch (cmd) {
+ case RNDGETENTCNT:
+ /* inherently racy, no point locking */
+- ent_count = ENTROPY_BITS();
++ ent_count = POOL_ENTROPY_BITS();
+ if (put_user(ent_count, p))
+ return -EFAULT;
+ return 0;
+@@ -2002,7 +2002,7 @@ static int proc_do_entropy(struct ctl_ta
+ struct ctl_table fake_table;
+ int entropy_count;
+
+- entropy_count = *(int *)table->data >> ENTROPY_SHIFT;
++ entropy_count = *(int *)table->data >> POOL_ENTROPY_SHIFT;
+
+ fake_table.data = &entropy_count;
+ fake_table.maxlen = sizeof(entropy_count);
+@@ -2221,7 +2221,7 @@ void add_hwgenerator_randomness(const ch
+ */
+ wait_event_interruptible(random_write_wait,
+ !system_wq || kthread_should_stop() ||
+- ENTROPY_BITS() <= random_write_wakeup_bits);
++ POOL_ENTROPY_BITS() <= random_write_wakeup_bits);
+ mix_pool_bytes(buffer, count);
+ credit_entropy_bits(entropy);
+ }
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 13 Feb 2022 16:17:01 +0100
+Subject: random: pull add_hwgenerator_randomness() declaration into random.h
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit b777c38239fec5a528e59f55b379e31b1a187524 upstream.
+
+add_hwgenerator_randomness() is a function implemented and documented
+inside of random.c. It is the way that hardware RNGs push data into it.
+Therefore, it should be declared in random.h. Otherwise sparse complains
+with:
+
+random.c:1137:6: warning: symbol 'add_hwgenerator_randomness' was not declared. Should it be static?
+
+The alternative would be to include hw_random.h into random.c, but that
+wouldn't really be good for anything except slowing down compile time.
+
+Cc: Matt Mackall <mpm@selenic.com>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/hw_random/core.c | 1 +
+ include/linux/hw_random.h | 2 --
+ include/linux/random.h | 2 ++
+ 3 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/hw_random/core.c
++++ b/drivers/char/hw_random/core.c
+@@ -15,6 +15,7 @@
+ #include <linux/err.h>
+ #include <linux/fs.h>
+ #include <linux/hw_random.h>
++#include <linux/random.h>
+ #include <linux/kernel.h>
+ #include <linux/kthread.h>
+ #include <linux/sched/signal.h>
+--- a/include/linux/hw_random.h
++++ b/include/linux/hw_random.h
+@@ -59,7 +59,5 @@ extern int devm_hwrng_register(struct de
+ /** Unregister a Hardware Random Number Generator driver. */
+ extern void hwrng_unregister(struct hwrng *rng);
+ extern void devm_hwrng_unregister(struct device *dve, struct hwrng *rng);
+-/** Feed random bits into the pool. */
+-extern void add_hwgenerator_randomness(const void *buffer, size_t count, size_t entropy);
+
+ #endif /* LINUX_HWRANDOM_H_ */
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -32,6 +32,8 @@ static inline void add_latent_entropy(vo
+ extern void add_input_randomness(unsigned int type, unsigned int code,
+ unsigned int value) __latent_entropy;
+ extern void add_interrupt_randomness(int irq) __latent_entropy;
++extern void add_hwgenerator_randomness(const void *buffer, size_t count,
++ size_t entropy);
+
+ extern void get_random_bytes(void *buf, size_t nbytes);
+ extern int wait_for_random_bytes(void);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 12 Jan 2022 17:18:08 +0100
+Subject: random: rather than entropy_store abstraction, use global
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 90ed1e67e896cc8040a523f8428fc02f9b164394 upstream.
+
+Originally, the RNG used several pools, so having things abstracted out
+over a generic entropy_store object made sense. These days, there's only
+one input pool, and then an uneven mix of usage via the abstraction and
+usage via &input_pool. Rather than this uneasy mixture, just get rid of
+the abstraction entirely and have things always use the global. This
+simplifies the code and makes reading it a bit easier.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 219 ++++++++++++++++++------------------------
+ include/trace/events/random.h | 56 ++++------
+ 2 files changed, 117 insertions(+), 158 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -375,7 +375,7 @@
+ * credit_entropy_bits() needs to be 64 bits wide.
+ */
+ #define ENTROPY_SHIFT 3
+-#define ENTROPY_BITS(r) ((r)->entropy_count >> ENTROPY_SHIFT)
++#define ENTROPY_BITS() (input_pool.entropy_count >> ENTROPY_SHIFT)
+
+ /*
+ * If the entropy count falls under this number of bits, then we
+@@ -505,33 +505,27 @@ MODULE_PARM_DESC(ratelimit_disable, "Dis
+ *
+ **********************************************************************/
+
+-struct entropy_store;
+-struct entropy_store {
++static u32 input_pool_data[INPUT_POOL_WORDS] __latent_entropy;
++
++static struct {
+ /* read-only data: */
+ u32 *pool;
+- const char *name;
+
+ /* read-write data: */
+ spinlock_t lock;
+ u16 add_ptr;
+ u16 input_rotate;
+ int entropy_count;
+-};
+-
+-static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+- size_t nbytes, int min);
+-static ssize_t _extract_entropy(struct entropy_store *r, void *buf,
+- size_t nbytes);
+-
+-static void crng_reseed(struct crng_state *crng, struct entropy_store *r);
+-static u32 input_pool_data[INPUT_POOL_WORDS] __latent_entropy;
+-
+-static struct entropy_store input_pool = {
+- .name = "input",
++} input_pool = {
+ .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
+ .pool = input_pool_data
+ };
+
++static ssize_t extract_entropy(void *buf, size_t nbytes, int min);
++static ssize_t _extract_entropy(void *buf, size_t nbytes);
++
++static void crng_reseed(struct crng_state *crng, bool use_input_pool);
++
+ static u32 const twist_table[8] = {
+ 0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
+ 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };
+@@ -546,16 +540,15 @@ static u32 const twist_table[8] = {
+ * it's cheap to do so and helps slightly in the expected case where
+ * the entropy is concentrated in the low-order bits.
+ */
+-static void _mix_pool_bytes(struct entropy_store *r, const void *in,
+- int nbytes)
++static void _mix_pool_bytes(const void *in, int nbytes)
+ {
+ unsigned long i;
+ int input_rotate;
+ const u8 *bytes = in;
+ u32 w;
+
+- input_rotate = r->input_rotate;
+- i = r->add_ptr;
++ input_rotate = input_pool.input_rotate;
++ i = input_pool.add_ptr;
+
+ /* mix one byte at a time to simplify size handling and churn faster */
+ while (nbytes--) {
+@@ -563,15 +556,15 @@ static void _mix_pool_bytes(struct entro
+ i = (i - 1) & POOL_WORDMASK;
+
+ /* XOR in the various taps */
+- w ^= r->pool[i];
+- w ^= r->pool[(i + POOL_TAP1) & POOL_WORDMASK];
+- w ^= r->pool[(i + POOL_TAP2) & POOL_WORDMASK];
+- w ^= r->pool[(i + POOL_TAP3) & POOL_WORDMASK];
+- w ^= r->pool[(i + POOL_TAP4) & POOL_WORDMASK];
+- w ^= r->pool[(i + POOL_TAP5) & POOL_WORDMASK];
++ w ^= input_pool.pool[i];
++ w ^= input_pool.pool[(i + POOL_TAP1) & POOL_WORDMASK];
++ w ^= input_pool.pool[(i + POOL_TAP2) & POOL_WORDMASK];
++ w ^= input_pool.pool[(i + POOL_TAP3) & POOL_WORDMASK];
++ w ^= input_pool.pool[(i + POOL_TAP4) & POOL_WORDMASK];
++ w ^= input_pool.pool[(i + POOL_TAP5) & POOL_WORDMASK];
+
+ /* Mix the result back in with a twist */
+- r->pool[i] = (w >> 3) ^ twist_table[w & 7];
++ input_pool.pool[i] = (w >> 3) ^ twist_table[w & 7];
+
+ /*
+ * Normally, we add 7 bits of rotation to the pool.
+@@ -582,26 +575,24 @@ static void _mix_pool_bytes(struct entro
+ input_rotate = (input_rotate + (i ? 7 : 14)) & 31;
+ }
+
+- r->input_rotate = input_rotate;
+- r->add_ptr = i;
++ input_pool.input_rotate = input_rotate;
++ input_pool.add_ptr = i;
+ }
+
+-static void __mix_pool_bytes(struct entropy_store *r, const void *in,
+- int nbytes)
++static void __mix_pool_bytes(const void *in, int nbytes)
+ {
+- trace_mix_pool_bytes_nolock(r->name, nbytes, _RET_IP_);
+- _mix_pool_bytes(r, in, nbytes);
++ trace_mix_pool_bytes_nolock(nbytes, _RET_IP_);
++ _mix_pool_bytes(in, nbytes);
+ }
+
+-static void mix_pool_bytes(struct entropy_store *r, const void *in,
+- int nbytes)
++static void mix_pool_bytes(const void *in, int nbytes)
+ {
+ unsigned long flags;
+
+- trace_mix_pool_bytes(r->name, nbytes, _RET_IP_);
+- spin_lock_irqsave(&r->lock, flags);
+- _mix_pool_bytes(r, in, nbytes);
+- spin_unlock_irqrestore(&r->lock, flags);
++ trace_mix_pool_bytes(nbytes, _RET_IP_);
++ spin_lock_irqsave(&input_pool.lock, flags);
++ _mix_pool_bytes(in, nbytes);
++ spin_unlock_irqrestore(&input_pool.lock, flags);
+ }
+
+ struct fast_pool {
+@@ -663,16 +654,16 @@ static void process_random_ready_list(vo
+ * Use credit_entropy_bits_safe() if the value comes from userspace
+ * or otherwise should be checked for extreme values.
+ */
+-static void credit_entropy_bits(struct entropy_store *r, int nbits)
++static void credit_entropy_bits(int nbits)
+ {
+- int entropy_count, orig;
++ int entropy_count, entropy_bits, orig;
+ int nfrac = nbits << ENTROPY_SHIFT;
+
+ if (!nbits)
+ return;
+
+ retry:
+- entropy_count = orig = ACCESS_ONCE(r->entropy_count);
++ entropy_count = orig = READ_ONCE(input_pool.entropy_count);
+ if (nfrac < 0) {
+ /* Debit */
+ entropy_count += nfrac;
+@@ -713,26 +704,21 @@ retry:
+ }
+
+ if (WARN_ON(entropy_count < 0)) {
+- pr_warn("negative entropy/overflow: pool %s count %d\n",
+- r->name, entropy_count);
++ pr_warn("negative entropy/overflow: count %d\n", entropy_count);
+ entropy_count = 0;
+ } else if (entropy_count > POOL_FRACBITS)
+ entropy_count = POOL_FRACBITS;
+- if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
++ if (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig)
+ goto retry;
+
+- trace_credit_entropy_bits(r->name, nbits,
+- entropy_count >> ENTROPY_SHIFT, _RET_IP_);
++ trace_credit_entropy_bits(nbits, entropy_count >> ENTROPY_SHIFT, _RET_IP_);
+
+- if (r == &input_pool) {
+- int entropy_bits = entropy_count >> ENTROPY_SHIFT;
+-
+- if (crng_init < 2 && entropy_bits >= 128)
+- crng_reseed(&primary_crng, r);
+- }
++ entropy_bits = entropy_count >> ENTROPY_SHIFT;
++ if (crng_init < 2 && entropy_bits >= 128)
++ crng_reseed(&primary_crng, true);
+ }
+
+-static int credit_entropy_bits_safe(struct entropy_store *r, int nbits)
++static int credit_entropy_bits_safe(int nbits)
+ {
+ if (nbits < 0)
+ return -EINVAL;
+@@ -740,7 +726,7 @@ static int credit_entropy_bits_safe(stru
+ /* Cap the value to avoid overflows */
+ nbits = min(nbits, POOL_BITS);
+
+- credit_entropy_bits(r, nbits);
++ credit_entropy_bits(nbits);
+ return 0;
+ }
+
+@@ -817,7 +803,7 @@ static void crng_initialize_secondary(st
+
+ static void __init crng_initialize_primary(struct crng_state *crng)
+ {
+- _extract_entropy(&input_pool, &crng->state[4], sizeof(u32) * 12);
++ _extract_entropy(&crng->state[4], sizeof(u32) * 12);
+ if (crng_init_try_arch_early(crng) && trust_cpu && crng_init < 2) {
+ invalidate_batched_entropy();
+ numa_crng_init();
+@@ -978,7 +964,7 @@ static int crng_slow_load(const u8 *cp,
+ return 1;
+ }
+
+-static void crng_reseed(struct crng_state *crng, struct entropy_store *r)
++static void crng_reseed(struct crng_state *crng, bool use_input_pool)
+ {
+ unsigned long flags;
+ int i, num;
+@@ -987,8 +973,8 @@ static void crng_reseed(struct crng_stat
+ u32 key[8];
+ } buf;
+
+- if (r) {
+- num = extract_entropy(r, &buf, 32, 16);
++ if (use_input_pool) {
++ num = extract_entropy(&buf, 32, 16);
+ if (num == 0)
+ return;
+ } else {
+@@ -1019,8 +1005,7 @@ static void _extract_crng(struct crng_st
+ init_time = READ_ONCE(crng->init_time);
+ if (time_after(READ_ONCE(crng_global_init_time), init_time) ||
+ time_after(jiffies, init_time + CRNG_RESEED_INTERVAL))
+- crng_reseed(crng, crng == &primary_crng ?
+- &input_pool : NULL);
++ crng_reseed(crng, crng == &primary_crng);
+ }
+ spin_lock_irqsave(&crng->lock, flags);
+ chacha20_block(&crng->state[0], out);
+@@ -1131,8 +1116,8 @@ void add_device_randomness(const void *b
+
+ trace_add_device_randomness(size, _RET_IP_);
+ spin_lock_irqsave(&input_pool.lock, flags);
+- _mix_pool_bytes(&input_pool, buf, size);
+- _mix_pool_bytes(&input_pool, &time, sizeof(time));
++ _mix_pool_bytes(buf, size);
++ _mix_pool_bytes(&time, sizeof(time));
+ spin_unlock_irqrestore(&input_pool.lock, flags);
+ }
+ EXPORT_SYMBOL(add_device_randomness);
+@@ -1151,7 +1136,6 @@ static struct timer_rand_state input_tim
+ */
+ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
+ {
+- struct entropy_store *r;
+ struct {
+ long jiffies;
+ unsigned int cycles;
+@@ -1162,8 +1146,7 @@ static void add_timer_randomness(struct
+ sample.jiffies = jiffies;
+ sample.cycles = random_get_entropy();
+ sample.num = num;
+- r = &input_pool;
+- mix_pool_bytes(r, &sample, sizeof(sample));
++ mix_pool_bytes(&sample, sizeof(sample));
+
+ /*
+ * Calculate number of bits of randomness we probably added.
+@@ -1195,7 +1178,7 @@ static void add_timer_randomness(struct
+ * Round down by 1 bit on general principles,
+ * and limit entropy estimate to 12 bits.
+ */
+- credit_entropy_bits(r, min_t(int, fls(delta>>1), 11));
++ credit_entropy_bits(min_t(int, fls(delta>>1), 11));
+ }
+
+ void add_input_randomness(unsigned int type, unsigned int code,
+@@ -1210,7 +1193,7 @@ void add_input_randomness(unsigned int t
+ last_value = value;
+ add_timer_randomness(&input_timer_state,
+ (type << 4) ^ code ^ (code >> 4) ^ value);
+- trace_add_input_randomness(ENTROPY_BITS(&input_pool));
++ trace_add_input_randomness(ENTROPY_BITS());
+ }
+ EXPORT_SYMBOL_GPL(add_input_randomness);
+
+@@ -1254,7 +1237,6 @@ static u32 get_reg(struct fast_pool *f,
+
+ void add_interrupt_randomness(int irq)
+ {
+- struct entropy_store *r;
+ struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness);
+ struct pt_regs *regs = get_irq_regs();
+ unsigned long now = jiffies;
+@@ -1289,18 +1271,17 @@ void add_interrupt_randomness(int irq)
+ !time_after(now, fast_pool->last + HZ))
+ return;
+
+- r = &input_pool;
+- if (!spin_trylock(&r->lock))
++ if (!spin_trylock(&input_pool.lock))
+ return;
+
+ fast_pool->last = now;
+- __mix_pool_bytes(r, &fast_pool->pool, sizeof(fast_pool->pool));
+- spin_unlock(&r->lock);
++ __mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool));
++ spin_unlock(&input_pool.lock);
+
+ fast_pool->count = 0;
+
+ /* award one bit for the contents of the fast pool */
+- credit_entropy_bits(r, 1);
++ credit_entropy_bits(1);
+ }
+ EXPORT_SYMBOL_GPL(add_interrupt_randomness);
+
+@@ -1311,7 +1292,7 @@ void add_disk_randomness(struct gendisk
+ return;
+ /* first major is 1, so we get >= 0x200 here */
+ add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
+- trace_add_disk_randomness(disk_devt(disk), ENTROPY_BITS(&input_pool));
++ trace_add_disk_randomness(disk_devt(disk), ENTROPY_BITS());
+ }
+ EXPORT_SYMBOL_GPL(add_disk_randomness);
+ #endif
+@@ -1326,16 +1307,16 @@ EXPORT_SYMBOL_GPL(add_disk_randomness);
+ * This function decides how many bytes to actually take from the
+ * given pool, and also debits the entropy count accordingly.
+ */
+-static size_t account(struct entropy_store *r, size_t nbytes, int min)
++static size_t account(size_t nbytes, int min)
+ {
+ int entropy_count, orig, have_bytes;
+ size_t ibytes, nfrac;
+
+- BUG_ON(r->entropy_count > POOL_FRACBITS);
++ BUG_ON(input_pool.entropy_count > POOL_FRACBITS);
+
+ /* Can we pull enough? */
+ retry:
+- entropy_count = orig = ACCESS_ONCE(r->entropy_count);
++ entropy_count = orig = READ_ONCE(input_pool.entropy_count);
+ ibytes = nbytes;
+ /* never pull more than available */
+ have_bytes = entropy_count >> (ENTROPY_SHIFT + 3);
+@@ -1347,8 +1328,7 @@ retry:
+ ibytes = 0;
+
+ if (WARN_ON(entropy_count < 0)) {
+- pr_warn("negative entropy count: pool %s count %d\n",
+- r->name, entropy_count);
++ pr_warn("negative entropy count: count %d\n", entropy_count);
+ entropy_count = 0;
+ }
+ nfrac = ibytes << (ENTROPY_SHIFT + 3);
+@@ -1357,11 +1337,11 @@ retry:
+ else
+ entropy_count = 0;
+
+- if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
++ if (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig)
+ goto retry;
+
+- trace_debit_entropy(r->name, 8 * ibytes);
+- if (ibytes && ENTROPY_BITS(r) < random_write_wakeup_bits) {
++ trace_debit_entropy(8 * ibytes);
++ if (ibytes && ENTROPY_BITS() < random_write_wakeup_bits) {
+ wake_up_interruptible(&random_write_wait);
+ kill_fasync(&fasync, SIGIO, POLL_OUT);
+ }
+@@ -1374,7 +1354,7 @@ retry:
+ *
+ * Note: we assume that .poolwords is a multiple of 16 words.
+ */
+-static void extract_buf(struct entropy_store *r, u8 *out)
++static void extract_buf(u8 *out)
+ {
+ struct blake2s_state state __aligned(__alignof__(unsigned long));
+ u8 hash[BLAKE2S_HASH_SIZE];
+@@ -1396,8 +1376,8 @@ static void extract_buf(struct entropy_s
+ }
+
+ /* Generate a hash across the pool */
+- spin_lock_irqsave(&r->lock, flags);
+- blake2s_update(&state, (const u8 *)r->pool, POOL_BYTES);
++ spin_lock_irqsave(&input_pool.lock, flags);
++ blake2s_update(&state, (const u8 *)input_pool.pool, POOL_BYTES);
+ blake2s_final(&state, hash); /* final zeros out state */
+
+ /*
+@@ -1409,8 +1389,8 @@ static void extract_buf(struct entropy_s
+ * brute-forcing the feedback as hard as brute-forcing the
+ * hash.
+ */
+- __mix_pool_bytes(r, hash, sizeof(hash));
+- spin_unlock_irqrestore(&r->lock, flags);
++ __mix_pool_bytes(hash, sizeof(hash));
++ spin_unlock_irqrestore(&input_pool.lock, flags);
+
+ /* Note that EXTRACT_SIZE is half of hash size here, because above
+ * we've dumped the full length back into mixer. By reducing the
+@@ -1420,14 +1400,13 @@ static void extract_buf(struct entropy_s
+ memzero_explicit(hash, sizeof(hash));
+ }
+
+-static ssize_t _extract_entropy(struct entropy_store *r, void *buf,
+- size_t nbytes)
++static ssize_t _extract_entropy(void *buf, size_t nbytes)
+ {
+ ssize_t ret = 0, i;
+ u8 tmp[EXTRACT_SIZE];
+
+ while (nbytes) {
+- extract_buf(r, tmp);
++ extract_buf(tmp);
+ i = min_t(int, nbytes, EXTRACT_SIZE);
+ memcpy(buf, tmp, i);
+ nbytes -= i;
+@@ -1448,12 +1427,11 @@ static ssize_t _extract_entropy(struct e
+ * The min parameter specifies the minimum amount we can pull before
+ * failing to avoid races that defeat catastrophic reseeding.
+ */
+-static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+- size_t nbytes, int min)
++static ssize_t extract_entropy(void *buf, size_t nbytes, int min)
+ {
+- trace_extract_entropy(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_);
+- nbytes = account(r, nbytes, min);
+- return _extract_entropy(r, buf, nbytes);
++ trace_extract_entropy(nbytes, ENTROPY_BITS(), _RET_IP_);
++ nbytes = account(nbytes, min);
++ return _extract_entropy(buf, nbytes);
+ }
+
+ #define warn_unseeded_randomness(previous) \
+@@ -1538,7 +1516,7 @@ EXPORT_SYMBOL(get_random_bytes);
+ */
+ static void entropy_timer(unsigned long data)
+ {
+- credit_entropy_bits(&input_pool, 1);
++ credit_entropy_bits(1);
+ }
+
+ /*
+@@ -1562,14 +1540,14 @@ static void try_to_generate_entropy(void
+ while (!crng_ready()) {
+ if (!timer_pending(&stack.timer))
+ mod_timer(&stack.timer, jiffies+1);
+- mix_pool_bytes(&input_pool, &stack.now, sizeof(stack.now));
++ mix_pool_bytes(&stack.now, sizeof(stack.now));
+ schedule();
+ stack.now = random_get_entropy();
+ }
+
+ del_timer_sync(&stack.timer);
+ destroy_timer_on_stack(&stack.timer);
+- mix_pool_bytes(&input_pool, &stack.now, sizeof(stack.now));
++ mix_pool_bytes(&stack.now, sizeof(stack.now));
+ }
+
+ /*
+@@ -1710,26 +1688,24 @@ EXPORT_SYMBOL(get_random_bytes_arch);
+ /*
+ * init_std_data - initialize pool with system data
+ *
+- * @r: pool to initialize
+- *
+ * This function clears the pool's entropy count and mixes some system
+ * data into the pool to prepare it for use. The pool is not cleared
+ * as that can only decrease the entropy in the pool.
+ */
+-static void __init init_std_data(struct entropy_store *r)
++static void __init init_std_data(void)
+ {
+ int i;
+ ktime_t now = ktime_get_real();
+ unsigned long rv;
+
+- mix_pool_bytes(r, &now, sizeof(now));
++ mix_pool_bytes(&now, sizeof(now));
+ for (i = POOL_BYTES; i > 0; i -= sizeof(rv)) {
+ if (!arch_get_random_seed_long(&rv) &&
+ !arch_get_random_long(&rv))
+ rv = random_get_entropy();
+- mix_pool_bytes(r, &rv, sizeof(rv));
++ mix_pool_bytes(&rv, sizeof(rv));
+ }
+- mix_pool_bytes(r, utsname(), sizeof(*(utsname())));
++ mix_pool_bytes(utsname(), sizeof(*(utsname())));
+ }
+
+ /*
+@@ -1744,7 +1720,7 @@ static void __init init_std_data(struct
+ */
+ int __init rand_initialize(void)
+ {
+- init_std_data(&input_pool);
++ init_std_data();
+ if (crng_need_final_init)
+ crng_finalize_init(&primary_crng);
+ crng_initialize_primary(&primary_crng);
+@@ -1781,7 +1757,7 @@ urandom_read_nowarn(struct file *file, c
+
+ nbytes = min_t(size_t, nbytes, INT_MAX >> (ENTROPY_SHIFT + 3));
+ ret = extract_crng_user(buf, nbytes);
+- trace_urandom_read(8 * nbytes, 0, ENTROPY_BITS(&input_pool));
++ trace_urandom_read(8 * nbytes, 0, ENTROPY_BITS());
+ return ret;
+ }
+
+@@ -1821,13 +1797,13 @@ random_poll(struct file *file, poll_tabl
+ mask = 0;
+ if (crng_ready())
+ mask |= POLLIN | POLLRDNORM;
+- if (ENTROPY_BITS(&input_pool) < random_write_wakeup_bits)
++ if (ENTROPY_BITS() < random_write_wakeup_bits)
+ mask |= POLLOUT | POLLWRNORM;
+ return mask;
+ }
+
+ static int
+-write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
++write_pool(const char __user *buffer, size_t count)
+ {
+ size_t bytes;
+ u32 t, buf[16];
+@@ -1849,7 +1825,7 @@ write_pool(struct entropy_store *r, cons
+ count -= bytes;
+ p += bytes;
+
+- mix_pool_bytes(r, buf, bytes);
++ mix_pool_bytes(buf, bytes);
+ cond_resched();
+ }
+
+@@ -1861,7 +1837,7 @@ static ssize_t random_write(struct file
+ {
+ size_t ret;
+
+- ret = write_pool(&input_pool, buffer, count);
++ ret = write_pool(buffer, count);
+ if (ret)
+ return ret;
+
+@@ -1877,7 +1853,7 @@ static long random_ioctl(struct file *f,
+ switch (cmd) {
+ case RNDGETENTCNT:
+ /* inherently racy, no point locking */
+- ent_count = ENTROPY_BITS(&input_pool);
++ ent_count = ENTROPY_BITS();
+ if (put_user(ent_count, p))
+ return -EFAULT;
+ return 0;
+@@ -1886,7 +1862,7 @@ static long random_ioctl(struct file *f,
+ return -EPERM;
+ if (get_user(ent_count, p))
+ return -EFAULT;
+- return credit_entropy_bits_safe(&input_pool, ent_count);
++ return credit_entropy_bits_safe(ent_count);
+ case RNDADDENTROPY:
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+@@ -1896,11 +1872,10 @@ static long random_ioctl(struct file *f,
+ return -EINVAL;
+ if (get_user(size, p++))
+ return -EFAULT;
+- retval = write_pool(&input_pool, (const char __user *)p,
+- size);
++ retval = write_pool((const char __user *)p, size);
+ if (retval < 0)
+ return retval;
+- return credit_entropy_bits_safe(&input_pool, ent_count);
++ return credit_entropy_bits_safe(ent_count);
+ case RNDZAPENTCNT:
+ case RNDCLEARPOOL:
+ /*
+@@ -1916,7 +1891,7 @@ static long random_ioctl(struct file *f,
+ return -EPERM;
+ if (crng_init < 2)
+ return -ENODATA;
+- crng_reseed(&primary_crng, &input_pool);
++ crng_reseed(&primary_crng, true);
+ WRITE_ONCE(crng_global_init_time, jiffies - 1);
+ return 0;
+ default:
+@@ -2238,11 +2213,9 @@ randomize_page(unsigned long start, unsi
+ void add_hwgenerator_randomness(const char *buffer, size_t count,
+ size_t entropy)
+ {
+- struct entropy_store *poolp = &input_pool;
+-
+ if (unlikely(crng_init == 0)) {
+ size_t ret = crng_fast_load(buffer, count);
+- mix_pool_bytes(poolp, buffer, ret);
++ mix_pool_bytes(buffer, ret);
+ count -= ret;
+ buffer += ret;
+ if (!count || crng_init == 0)
+@@ -2255,9 +2228,9 @@ void add_hwgenerator_randomness(const ch
+ */
+ wait_event_interruptible(random_write_wait,
+ !system_wq || kthread_should_stop() ||
+- ENTROPY_BITS(&input_pool) <= random_write_wakeup_bits);
+- mix_pool_bytes(poolp, buffer, count);
+- credit_entropy_bits(poolp, entropy);
++ ENTROPY_BITS() <= random_write_wakeup_bits);
++ mix_pool_bytes(buffer, count);
++ credit_entropy_bits(entropy);
+ }
+ EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
+
+--- a/include/trace/events/random.h
++++ b/include/trace/events/random.h
+@@ -28,80 +28,71 @@ TRACE_EVENT(add_device_randomness,
+ );
+
+ DECLARE_EVENT_CLASS(random__mix_pool_bytes,
+- TP_PROTO(const char *pool_name, int bytes, unsigned long IP),
++ TP_PROTO(int bytes, unsigned long IP),
+
+- TP_ARGS(pool_name, bytes, IP),
++ TP_ARGS(bytes, IP),
+
+ TP_STRUCT__entry(
+- __field( const char *, pool_name )
+ __field( int, bytes )
+ __field(unsigned long, IP )
+ ),
+
+ TP_fast_assign(
+- __entry->pool_name = pool_name;
+ __entry->bytes = bytes;
+ __entry->IP = IP;
+ ),
+
+- TP_printk("%s pool: bytes %d caller %pS",
+- __entry->pool_name, __entry->bytes, (void *)__entry->IP)
++ TP_printk("input pool: bytes %d caller %pS",
++ __entry->bytes, (void *)__entry->IP)
+ );
+
+ DEFINE_EVENT(random__mix_pool_bytes, mix_pool_bytes,
+- TP_PROTO(const char *pool_name, int bytes, unsigned long IP),
++ TP_PROTO(int bytes, unsigned long IP),
+
+- TP_ARGS(pool_name, bytes, IP)
++ TP_ARGS(bytes, IP)
+ );
+
+ DEFINE_EVENT(random__mix_pool_bytes, mix_pool_bytes_nolock,
+- TP_PROTO(const char *pool_name, int bytes, unsigned long IP),
++ TP_PROTO(int bytes, unsigned long IP),
+
+- TP_ARGS(pool_name, bytes, IP)
++ TP_ARGS(bytes, IP)
+ );
+
+ TRACE_EVENT(credit_entropy_bits,
+- TP_PROTO(const char *pool_name, int bits, int entropy_count,
+- unsigned long IP),
++ TP_PROTO(int bits, int entropy_count, unsigned long IP),
+
+- TP_ARGS(pool_name, bits, entropy_count, IP),
++ TP_ARGS(bits, entropy_count, IP),
+
+ TP_STRUCT__entry(
+- __field( const char *, pool_name )
+ __field( int, bits )
+ __field( int, entropy_count )
+ __field(unsigned long, IP )
+ ),
+
+ TP_fast_assign(
+- __entry->pool_name = pool_name;
+ __entry->bits = bits;
+ __entry->entropy_count = entropy_count;
+ __entry->IP = IP;
+ ),
+
+- TP_printk("%s pool: bits %d entropy_count %d caller %pS",
+- __entry->pool_name, __entry->bits,
+- __entry->entropy_count, (void *)__entry->IP)
++ TP_printk("input pool: bits %d entropy_count %d caller %pS",
++ __entry->bits, __entry->entropy_count, (void *)__entry->IP)
+ );
+
+ TRACE_EVENT(debit_entropy,
+- TP_PROTO(const char *pool_name, int debit_bits),
++ TP_PROTO(int debit_bits),
+
+- TP_ARGS(pool_name, debit_bits),
++ TP_ARGS( debit_bits),
+
+ TP_STRUCT__entry(
+- __field( const char *, pool_name )
+ __field( int, debit_bits )
+ ),
+
+ TP_fast_assign(
+- __entry->pool_name = pool_name;
+ __entry->debit_bits = debit_bits;
+ ),
+
+- TP_printk("%s: debit_bits %d", __entry->pool_name,
+- __entry->debit_bits)
++ TP_printk("input pool: debit_bits %d", __entry->debit_bits)
+ );
+
+ TRACE_EVENT(add_input_randomness,
+@@ -170,36 +161,31 @@ DEFINE_EVENT(random__get_random_bytes, g
+ );
+
+ DECLARE_EVENT_CLASS(random__extract_entropy,
+- TP_PROTO(const char *pool_name, int nbytes, int entropy_count,
+- unsigned long IP),
++ TP_PROTO(int nbytes, int entropy_count, unsigned long IP),
+
+- TP_ARGS(pool_name, nbytes, entropy_count, IP),
++ TP_ARGS(nbytes, entropy_count, IP),
+
+ TP_STRUCT__entry(
+- __field( const char *, pool_name )
+ __field( int, nbytes )
+ __field( int, entropy_count )
+ __field(unsigned long, IP )
+ ),
+
+ TP_fast_assign(
+- __entry->pool_name = pool_name;
+ __entry->nbytes = nbytes;
+ __entry->entropy_count = entropy_count;
+ __entry->IP = IP;
+ ),
+
+- TP_printk("%s pool: nbytes %d entropy_count %d caller %pS",
+- __entry->pool_name, __entry->nbytes, __entry->entropy_count,
+- (void *)__entry->IP)
++ TP_printk("input pool: nbytes %d entropy_count %d caller %pS",
++ __entry->nbytes, __entry->entropy_count, (void *)__entry->IP)
+ );
+
+
+ DEFINE_EVENT(random__extract_entropy, extract_entropy,
+- TP_PROTO(const char *pool_name, int nbytes, int entropy_count,
+- unsigned long IP),
++ TP_PROTO(int nbytes, int entropy_count, unsigned long IP),
+
+- TP_ARGS(pool_name, nbytes, entropy_count, IP)
++ TP_ARGS(nbytes, entropy_count, IP)
+ );
+
+ TRACE_EVENT(urandom_read,
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 22 Mar 2022 22:21:52 -0600
+Subject: random: re-add removed comment about get_random_{u32,u64} reseeding
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit dd7aa36e535797926d8eb311da7151919130139d upstream.
+
+The comment about get_random_{u32,u64}() not invoking reseeding got
+added in an unrelated commit, that then was recently reverted by
+0313bc278dac ("Revert "random: block in /dev/urandom""). So this adds
+that little comment snippet back, and improves the wording a bit too.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -226,9 +226,10 @@ static void _warn_unseeded_randomness(co
+ *
+ * These interfaces will return the requested number of random bytes
+ * into the given buffer or as a return value. This is equivalent to
+- * a read from /dev/urandom. The integer family of functions may be
+- * higher performance for one-off random integers, because they do a
+- * bit of buffering.
++ * a read from /dev/urandom. The u32, u64, int, and long family of
++ * functions may be higher performance for one-off random integers,
++ * because they do a bit of buffering and do not invoke reseeding
++ * until the buffer is emptied.
+ *
+ *********************************************************************/
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 28 Jan 2022 23:29:45 +0100
+Subject: random: remove batched entropy locking
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 77760fd7f7ae3dfd03668204e708d1568d75447d upstream.
+
+Rather than use spinlocks to protect batched entropy, we can instead
+disable interrupts locally, since we're dealing with per-cpu data, and
+manage resets with a basic generation counter. At the same time, we
+can't quite do this on PREEMPT_RT, where we still want spinlocks-as-
+mutexes semantics. So we use a local_lock_t, which provides the right
+behavior for each. Because this is a per-cpu lock, that generation
+counter is still doing the necessary CPU-to-CPU communication.
+
+This should improve performance a bit. It will also fix the linked splat
+that Jonathan received with a PROVE_RAW_LOCK_NESTING=y.
+
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Suggested-by: Andy Lutomirski <luto@kernel.org>
+Reported-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+Tested-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+Link: https://lore.kernel.org/lkml/YfMa0QgsjCVdRAvJ@latitude/
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 58 +++++++++++++++++++++++---------------------------
+ 1 file changed, 27 insertions(+), 31 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1718,13 +1718,15 @@ struct ctl_table random_table[] = {
+ };
+ #endif /* CONFIG_SYSCTL */
+
++static atomic_t batch_generation = ATOMIC_INIT(0);
++
+ struct batched_entropy {
+ union {
+ u64 entropy_u64[CHACHA20_BLOCK_SIZE / sizeof(u64)];
+ u32 entropy_u32[CHACHA20_BLOCK_SIZE / sizeof(u32)];
+ };
+ unsigned int position;
+- spinlock_t batch_lock;
++ int generation;
+ };
+
+ /*
+@@ -1735,9 +1737,7 @@ struct batched_entropy {
+ * wait_for_random_bytes() should be called and return 0 at least once at any
+ * point prior.
+ */
+-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = {
+- .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u64.lock),
+-};
++static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64);
+
+ u64 get_random_u64(void)
+ {
+@@ -1745,67 +1745,63 @@ u64 get_random_u64(void)
+ unsigned long flags;
+ struct batched_entropy *batch;
+ static void *previous;
++ int next_gen;
+
+ warn_unseeded_randomness(&previous);
+
++ local_irq_save(flags);
+ batch = raw_cpu_ptr(&batched_entropy_u64);
+- spin_lock_irqsave(&batch->batch_lock, flags);
+- if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0) {
++
++ next_gen = atomic_read(&batch_generation);
++ if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0 ||
++ next_gen != batch->generation) {
+ extract_crng((u8 *)batch->entropy_u64);
+ batch->position = 0;
++ batch->generation = next_gen;
+ }
++
+ ret = batch->entropy_u64[batch->position++];
+- spin_unlock_irqrestore(&batch->batch_lock, flags);
++ local_irq_restore(flags);
+ return ret;
+ }
+ EXPORT_SYMBOL(get_random_u64);
+
+-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = {
+- .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u32.lock),
+-};
++static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32);
++
+ u32 get_random_u32(void)
+ {
+ u32 ret;
+ unsigned long flags;
+ struct batched_entropy *batch;
+ static void *previous;
++ int next_gen;
+
+ warn_unseeded_randomness(&previous);
+
++ local_irq_save(flags);
+ batch = raw_cpu_ptr(&batched_entropy_u32);
+- spin_lock_irqsave(&batch->batch_lock, flags);
+- if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0) {
++
++ next_gen = atomic_read(&batch_generation);
++ if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0 ||
++ next_gen != batch->generation) {
+ extract_crng((u8 *)batch->entropy_u32);
+ batch->position = 0;
++ batch->generation = next_gen;
+ }
++
+ ret = batch->entropy_u32[batch->position++];
+- spin_unlock_irqrestore(&batch->batch_lock, flags);
++ local_irq_restore(flags);
+ return ret;
+ }
+ EXPORT_SYMBOL(get_random_u32);
+
+ /* It's important to invalidate all potential batched entropy that might
+ * be stored before the crng is initialized, which we can do lazily by
+- * simply resetting the counter to zero so that it's re-extracted on the
+- * next usage. */
++ * bumping the generation counter.
++ */
+ static void invalidate_batched_entropy(void)
+ {
+- int cpu;
+- unsigned long flags;
+-
+- for_each_possible_cpu(cpu) {
+- struct batched_entropy *batched_entropy;
+-
+- batched_entropy = per_cpu_ptr(&batched_entropy_u32, cpu);
+- spin_lock_irqsave(&batched_entropy->batch_lock, flags);
+- batched_entropy->position = 0;
+- spin_unlock(&batched_entropy->batch_lock);
+-
+- batched_entropy = per_cpu_ptr(&batched_entropy_u64, cpu);
+- spin_lock(&batched_entropy->batch_lock);
+- batched_entropy->position = 0;
+- spin_unlock_irqrestore(&batched_entropy->batch_lock, flags);
+- }
++ atomic_inc(&batch_generation);
+ }
+
+ /**
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 21 Mar 2021 22:14:00 -0700
+Subject: random: remove dead code left over from blocking pool
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 118a4417e14348b2e46f5e467da8444ec4757a45 upstream.
+
+Remove some dead code that was left over following commit 90ea1c6436d2
+("random: remove the blocking pool").
+
+Cc: linux-crypto@vger.kernel.org
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Jann Horn <jannh@google.com>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andy Lutomirski <luto@kernel.org>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 17 +-------
+ include/trace/events/random.h | 83 ------------------------------------------
+ 2 files changed, 3 insertions(+), 97 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -502,7 +502,6 @@ struct entropy_store {
+ unsigned short add_ptr;
+ unsigned short input_rotate;
+ int entropy_count;
+- unsigned int initialized:1;
+ unsigned int last_data_init:1;
+ __u8 last_data[EXTRACT_SIZE];
+ };
+@@ -662,7 +661,7 @@ static void process_random_ready_list(vo
+ */
+ static void credit_entropy_bits(struct entropy_store *r, int nbits)
+ {
+- int entropy_count, orig, has_initialized = 0;
++ int entropy_count, orig;
+ const int pool_size = r->poolinfo->poolfracbits;
+ int nfrac = nbits << ENTROPY_SHIFT;
+
+@@ -719,23 +718,14 @@ retry:
+ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
+ goto retry;
+
+- if (has_initialized) {
+- r->initialized = 1;
+- kill_fasync(&fasync, SIGIO, POLL_IN);
+- }
+-
+ trace_credit_entropy_bits(r->name, nbits,
+ entropy_count >> ENTROPY_SHIFT, _RET_IP_);
+
+ if (r == &input_pool) {
+ int entropy_bits = entropy_count >> ENTROPY_SHIFT;
+
+- if (crng_init < 2) {
+- if (entropy_bits < 128)
+- return;
++ if (crng_init < 2 && entropy_bits >= 128)
+ crng_reseed(&primary_crng, r);
+- entropy_bits = ENTROPY_BITS(r);
+- }
+ }
+ }
+
+@@ -1390,8 +1380,7 @@ retry:
+ }
+
+ /*
+- * This function does the actual extraction for extract_entropy and
+- * extract_entropy_user.
++ * This function does the actual extraction for extract_entropy.
+ *
+ * Note: we assume that .poolwords is a multiple of 16 words.
+ */
+--- a/include/trace/events/random.h
++++ b/include/trace/events/random.h
+@@ -85,28 +85,6 @@ TRACE_EVENT(credit_entropy_bits,
+ __entry->entropy_count, (void *)__entry->IP)
+ );
+
+-TRACE_EVENT(push_to_pool,
+- TP_PROTO(const char *pool_name, int pool_bits, int input_bits),
+-
+- TP_ARGS(pool_name, pool_bits, input_bits),
+-
+- TP_STRUCT__entry(
+- __field( const char *, pool_name )
+- __field( int, pool_bits )
+- __field( int, input_bits )
+- ),
+-
+- TP_fast_assign(
+- __entry->pool_name = pool_name;
+- __entry->pool_bits = pool_bits;
+- __entry->input_bits = input_bits;
+- ),
+-
+- TP_printk("%s: pool_bits %d input_pool_bits %d",
+- __entry->pool_name, __entry->pool_bits,
+- __entry->input_bits)
+-);
+-
+ TRACE_EVENT(debit_entropy,
+ TP_PROTO(const char *pool_name, int debit_bits),
+
+@@ -161,35 +139,6 @@ TRACE_EVENT(add_disk_randomness,
+ MINOR(__entry->dev), __entry->input_bits)
+ );
+
+-TRACE_EVENT(xfer_secondary_pool,
+- TP_PROTO(const char *pool_name, int xfer_bits, int request_bits,
+- int pool_entropy, int input_entropy),
+-
+- TP_ARGS(pool_name, xfer_bits, request_bits, pool_entropy,
+- input_entropy),
+-
+- TP_STRUCT__entry(
+- __field( const char *, pool_name )
+- __field( int, xfer_bits )
+- __field( int, request_bits )
+- __field( int, pool_entropy )
+- __field( int, input_entropy )
+- ),
+-
+- TP_fast_assign(
+- __entry->pool_name = pool_name;
+- __entry->xfer_bits = xfer_bits;
+- __entry->request_bits = request_bits;
+- __entry->pool_entropy = pool_entropy;
+- __entry->input_entropy = input_entropy;
+- ),
+-
+- TP_printk("pool %s xfer_bits %d request_bits %d pool_entropy %d "
+- "input_entropy %d", __entry->pool_name, __entry->xfer_bits,
+- __entry->request_bits, __entry->pool_entropy,
+- __entry->input_entropy)
+-);
+-
+ DECLARE_EVENT_CLASS(random__get_random_bytes,
+ TP_PROTO(int nbytes, unsigned long IP),
+
+@@ -253,38 +202,6 @@ DEFINE_EVENT(random__extract_entropy, ex
+ TP_ARGS(pool_name, nbytes, entropy_count, IP)
+ );
+
+-DEFINE_EVENT(random__extract_entropy, extract_entropy_user,
+- TP_PROTO(const char *pool_name, int nbytes, int entropy_count,
+- unsigned long IP),
+-
+- TP_ARGS(pool_name, nbytes, entropy_count, IP)
+-);
+-
+-TRACE_EVENT(random_read,
+- TP_PROTO(int got_bits, int need_bits, int pool_left, int input_left),
+-
+- TP_ARGS(got_bits, need_bits, pool_left, input_left),
+-
+- TP_STRUCT__entry(
+- __field( int, got_bits )
+- __field( int, need_bits )
+- __field( int, pool_left )
+- __field( int, input_left )
+- ),
+-
+- TP_fast_assign(
+- __entry->got_bits = got_bits;
+- __entry->need_bits = need_bits;
+- __entry->pool_left = pool_left;
+- __entry->input_left = input_left;
+- ),
+-
+- TP_printk("got_bits %d still_needed_bits %d "
+- "blocking_pool_entropy_left %d input_entropy_left %d",
+- __entry->got_bits, __entry->got_bits, __entry->pool_left,
+- __entry->input_left)
+-);
+-
+ TRACE_EVENT(urandom_read,
+ TP_PROTO(int got_bits, int pool_left, int input_left),
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 13 May 2022 12:29:38 +0200
+Subject: random: remove extern from functions in header
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 7782cfeca7d420e8bb707613d4cfb0f7ff29bb3a upstream.
+
+Accoriding to the kernel style guide, having `extern` on functions in
+headers is old school and deprecated, and doesn't add anything. So remove
+them from random.h, and tidy up the file a little bit too.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/random.h | 71 +++++++++++++++++++------------------------------
+ 1 file changed, 28 insertions(+), 43 deletions(-)
+
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -12,13 +12,12 @@
+
+ struct notifier_block;
+
+-extern void add_device_randomness(const void *, size_t);
+-extern void add_bootloader_randomness(const void *, size_t);
+-extern void add_input_randomness(unsigned int type, unsigned int code,
+- unsigned int value) __latent_entropy;
+-extern void add_interrupt_randomness(int irq) __latent_entropy;
+-extern void add_hwgenerator_randomness(const void *buffer, size_t count,
+- size_t entropy);
++void add_device_randomness(const void *, size_t);
++void add_bootloader_randomness(const void *, size_t);
++void add_input_randomness(unsigned int type, unsigned int code,
++ unsigned int value) __latent_entropy;
++void add_interrupt_randomness(int irq) __latent_entropy;
++void add_hwgenerator_randomness(const void *buffer, size_t count, size_t entropy);
+
+ #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
+ static inline void add_latent_entropy(void)
+@@ -26,21 +25,11 @@ static inline void add_latent_entropy(vo
+ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
+ }
+ #else
+-static inline void add_latent_entropy(void) {}
+-#endif
+-
+-extern void get_random_bytes(void *buf, size_t nbytes);
+-extern int wait_for_random_bytes(void);
+-extern int __init random_init(const char *command_line);
+-extern bool rng_is_initialized(void);
+-extern int register_random_ready_notifier(struct notifier_block *nb);
+-extern int unregister_random_ready_notifier(struct notifier_block *nb);
+-extern size_t __must_check get_random_bytes_arch(void *buf, size_t nbytes);
+-
+-#ifndef MODULE
+-extern const struct file_operations random_fops, urandom_fops;
++static inline void add_latent_entropy(void) { }
+ #endif
+
++void get_random_bytes(void *buf, size_t nbytes);
++size_t __must_check get_random_bytes_arch(void *buf, size_t nbytes);
+ u32 get_random_u32(void);
+ u64 get_random_u64(void);
+ static inline unsigned int get_random_int(void)
+@@ -72,11 +61,17 @@ static inline unsigned long get_random_l
+
+ static inline unsigned long get_random_canary(void)
+ {
+- unsigned long val = get_random_long();
+-
+- return val & CANARY_MASK;
++ return get_random_long() & CANARY_MASK;
+ }
+
++unsigned long randomize_page(unsigned long start, unsigned long range);
++
++int __init random_init(const char *command_line);
++bool rng_is_initialized(void);
++int wait_for_random_bytes(void);
++int register_random_ready_notifier(struct notifier_block *nb);
++int unregister_random_ready_notifier(struct notifier_block *nb);
++
+ /* Calls wait_for_random_bytes() and then calls get_random_bytes(buf, nbytes).
+ * Returns the result of the call to wait_for_random_bytes. */
+ static inline int get_random_bytes_wait(void *buf, size_t nbytes)
+@@ -100,8 +95,6 @@ declare_get_random_var_wait(int)
+ declare_get_random_var_wait(long)
+ #undef declare_get_random_var
+
+-unsigned long randomize_page(unsigned long start, unsigned long range);
+-
+ /*
+ * This is designed to be standalone for just prandom
+ * users, but for now we include it from <linux/random.h>
+@@ -112,22 +105,10 @@ unsigned long randomize_page(unsigned lo
+ #ifdef CONFIG_ARCH_RANDOM
+ # include <asm/archrandom.h>
+ #else
+-static inline bool __must_check arch_get_random_long(unsigned long *v)
+-{
+- return false;
+-}
+-static inline bool __must_check arch_get_random_int(unsigned int *v)
+-{
+- return false;
+-}
+-static inline bool __must_check arch_get_random_seed_long(unsigned long *v)
+-{
+- return false;
+-}
+-static inline bool __must_check arch_get_random_seed_int(unsigned int *v)
+-{
+- return false;
+-}
++static inline bool __must_check arch_get_random_long(unsigned long *v) { return false; }
++static inline bool __must_check arch_get_random_int(unsigned int *v) { return false; }
++static inline bool __must_check arch_get_random_seed_long(unsigned long *v) { return false; }
++static inline bool __must_check arch_get_random_seed_int(unsigned int *v) { return false; }
+ #endif
+
+ /*
+@@ -151,8 +132,12 @@ static inline bool __init arch_get_rando
+ #endif
+
+ #ifdef CONFIG_SMP
+-extern int random_prepare_cpu(unsigned int cpu);
+-extern int random_online_cpu(unsigned int cpu);
++int random_prepare_cpu(unsigned int cpu);
++int random_online_cpu(unsigned int cpu);
++#endif
++
++#ifndef MODULE
++extern const struct file_operations random_fops, urandom_fops;
+ #endif
+
+ #endif /* _LINUX_RANDOM_H */
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 10 Feb 2022 16:35:24 +0100
+Subject: random: remove ifdef'd out interrupt bench
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 95e6060c20a7f5db60163274c5222a725ac118f9 upstream.
+
+With tools like kbench9000 giving more finegrained responses, and this
+basically never having been used ever since it was initially added,
+let's just get rid of this. There *is* still work to be done on the
+interrupt handler, but this really isn't the way it's being developed.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/sysctl/kernel.txt | 9 ---------
+ drivers/char/random.c | 40 ----------------------------------------
+ 2 files changed, 49 deletions(-)
+
+--- a/Documentation/sysctl/kernel.txt
++++ b/Documentation/sysctl/kernel.txt
+@@ -812,15 +812,6 @@ This is a directory, with the following
+ are woken up. This file is writable for compatibility purposes, but
+ writing to it has no effect on any RNG behavior.
+
+-If ``drivers/char/random.c`` is built with ``ADD_INTERRUPT_BENCH``
+-defined, these additional entries are present:
+-
+-* ``add_interrupt_avg_cycles``: the average number of cycles between
+- interrupts used to feed the pool;
+-
+-* ``add_interrupt_avg_deviation``: the standard deviation seen on the
+- number of cycles between interrupts used to feed the pool.
+-
+
+ randomize_va_space
+ ==================
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -240,8 +240,6 @@
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/random.h>
+
+-/* #define ADD_INTERRUPT_BENCH */
+-
+ enum {
+ POOL_BITS = BLAKE2S_HASH_SIZE * 8,
+ POOL_MIN_BITS = POOL_BITS /* No point in settling for less. */
+@@ -806,27 +804,6 @@ EXPORT_SYMBOL_GPL(add_input_randomness);
+
+ static DEFINE_PER_CPU(struct fast_pool, irq_randomness);
+
+-#ifdef ADD_INTERRUPT_BENCH
+-static unsigned long avg_cycles, avg_deviation;
+-
+-#define AVG_SHIFT 8 /* Exponential average factor k=1/256 */
+-#define FIXED_1_2 (1 << (AVG_SHIFT - 1))
+-
+-static void add_interrupt_bench(cycles_t start)
+-{
+- long delta = random_get_entropy() - start;
+-
+- /* Use a weighted moving average */
+- delta = delta - ((avg_cycles + FIXED_1_2) >> AVG_SHIFT);
+- avg_cycles += delta;
+- /* And average deviation */
+- delta = abs(delta) - ((avg_deviation + FIXED_1_2) >> AVG_SHIFT);
+- avg_deviation += delta;
+-}
+-#else
+-#define add_interrupt_bench(x)
+-#endif
+-
+ static u32 get_reg(struct fast_pool *f, struct pt_regs *regs)
+ {
+ u32 *ptr = (u32 *)regs;
+@@ -863,7 +840,6 @@ void add_interrupt_randomness(int irq)
+ (sizeof(ip) > 4) ? ip >> 32 : get_reg(fast_pool, regs);
+
+ fast_mix(fast_pool);
+- add_interrupt_bench(cycles);
+
+ if (unlikely(crng_init == 0)) {
+ if (fast_pool->count >= 64 &&
+@@ -1571,22 +1547,6 @@ struct ctl_table random_table[] = {
+ .mode = 0444,
+ .proc_handler = proc_do_uuid,
+ },
+-#ifdef ADD_INTERRUPT_BENCH
+- {
+- .procname = "add_interrupt_avg_cycles",
+- .data = &avg_cycles,
+- .maxlen = sizeof(avg_cycles),
+- .mode = 0444,
+- .proc_handler = proc_doulongvec_minmax,
+- },
+- {
+- .procname = "add_interrupt_avg_deviation",
+- .data = &avg_deviation,
+- .maxlen = sizeof(avg_deviation),
+- .mode = 0444,
+- .proc_handler = proc_doulongvec_minmax,
+- },
+-#endif
+ { }
+ };
+ #endif /* CONFIG_SYSCTL */
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 12 Jan 2022 15:22:30 +0100
+Subject: random: remove incomplete last_data logic
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit a4bfa9b31802c14ff5847123c12b98d5e36b3985 upstream.
+
+There were a few things added under the "if (fips_enabled)" banner,
+which never really got completed, and the FIPS people anyway are
+choosing a different direction. Rather than keep around this halfbaked
+code, get rid of it so that we can focus on a single design of the RNG
+rather than two designs.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 40 ++++------------------------------------
+ 1 file changed, 4 insertions(+), 36 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -337,8 +337,6 @@
+ #include <linux/spinlock.h>
+ #include <linux/kthread.h>
+ #include <linux/percpu.h>
+-#include <linux/cryptohash.h>
+-#include <linux/fips.h>
+ #include <linux/ptrace.h>
+ #include <linux/workqueue.h>
+ #include <linux/irq.h>
+@@ -518,14 +516,12 @@ struct entropy_store {
+ u16 add_ptr;
+ u16 input_rotate;
+ int entropy_count;
+- unsigned int last_data_init:1;
+- u8 last_data[EXTRACT_SIZE];
+ };
+
+ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+ size_t nbytes, int min, int rsvd);
+ static ssize_t _extract_entropy(struct entropy_store *r, void *buf,
+- size_t nbytes, int fips);
++ size_t nbytes);
+
+ static void crng_reseed(struct crng_state *crng, struct entropy_store *r);
+ static u32 input_pool_data[INPUT_POOL_WORDS] __latent_entropy;
+@@ -821,7 +817,7 @@ static void crng_initialize_secondary(st
+
+ static void __init crng_initialize_primary(struct crng_state *crng)
+ {
+- _extract_entropy(&input_pool, &crng->state[4], sizeof(u32) * 12, 0);
++ _extract_entropy(&input_pool, &crng->state[4], sizeof(u32) * 12);
+ if (crng_init_try_arch_early(crng) && trust_cpu && crng_init < 2) {
+ invalidate_batched_entropy();
+ numa_crng_init();
+@@ -1426,22 +1422,13 @@ static void extract_buf(struct entropy_s
+ }
+
+ static ssize_t _extract_entropy(struct entropy_store *r, void *buf,
+- size_t nbytes, int fips)
++ size_t nbytes)
+ {
+ ssize_t ret = 0, i;
+ u8 tmp[EXTRACT_SIZE];
+- unsigned long flags;
+
+ while (nbytes) {
+ extract_buf(r, tmp);
+-
+- if (fips) {
+- spin_lock_irqsave(&r->lock, flags);
+- if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
+- panic("Hardware RNG duplicated output!\n");
+- memcpy(r->last_data, tmp, EXTRACT_SIZE);
+- spin_unlock_irqrestore(&r->lock, flags);
+- }
+ i = min_t(int, nbytes, EXTRACT_SIZE);
+ memcpy(buf, tmp, i);
+ nbytes -= i;
+@@ -1467,28 +1454,9 @@ static ssize_t _extract_entropy(struct e
+ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+ size_t nbytes, int min, int reserved)
+ {
+- u8 tmp[EXTRACT_SIZE];
+- unsigned long flags;
+-
+- /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
+- if (fips_enabled) {
+- spin_lock_irqsave(&r->lock, flags);
+- if (!r->last_data_init) {
+- r->last_data_init = 1;
+- spin_unlock_irqrestore(&r->lock, flags);
+- trace_extract_entropy(r->name, EXTRACT_SIZE,
+- ENTROPY_BITS(r), _RET_IP_);
+- extract_buf(r, tmp);
+- spin_lock_irqsave(&r->lock, flags);
+- memcpy(r->last_data, tmp, EXTRACT_SIZE);
+- }
+- spin_unlock_irqrestore(&r->lock, flags);
+- }
+-
+ trace_extract_entropy(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_);
+ nbytes = account(r, nbytes, min, reserved);
+-
+- return _extract_entropy(r, buf, nbytes, fips_enabled);
++ return _extract_entropy(r, buf, nbytes);
+ }
+
+ #define warn_unseeded_randomness(previous) \
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Andy Lutomirski <luto@kernel.org>
+Date: Mon, 23 Dec 2019 00:20:51 -0800
+Subject: random: remove kernel.random.read_wakeup_threshold
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit c95ea0c69ffda19381c116db2be23c7e654dac98 upstream.
+
+It has no effect any more, so remove it. We can revert this if
+there is some user code that expects to be able to set this sysctl.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Link: https://lore.kernel.org/r/a74ed2cf0b5a5451428a246a9239f5bc4e29358f.1577088521.git.luto@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 18 +-----------------
+ 1 file changed, 1 insertion(+), 17 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -370,12 +370,6 @@
+ #define ENTROPY_BITS(r) ((r)->entropy_count >> ENTROPY_SHIFT)
+
+ /*
+- * The minimum number of bits of entropy before we wake up a read on
+- * /dev/random. Should be enough to do a significant reseed.
+- */
+-static int random_read_wakeup_bits = 64;
+-
+-/*
+ * If the entropy count falls under this number of bits, then we
+ * should wake up processes which are selecting or polling on write
+ * access to /dev/random.
+@@ -2010,8 +2004,7 @@ SYSCALL_DEFINE3(getrandom, char __user *
+
+ #include <linux/sysctl.h>
+
+-static int min_read_thresh = 8, min_write_thresh;
+-static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
++static int min_write_thresh;
+ static int max_write_thresh = INPUT_POOL_WORDS * 32;
+ static int random_min_urandom_seed = 60;
+ static char sysctl_bootid[16];
+@@ -2087,15 +2080,6 @@ struct ctl_table random_table[] = {
+ .data = &input_pool.entropy_count,
+ },
+ {
+- .procname = "read_wakeup_threshold",
+- .data = &random_read_wakeup_bits,
+- .maxlen = sizeof(int),
+- .mode = 0644,
+- .proc_handler = proc_dointvec_minmax,
+- .extra1 = &min_read_thresh,
+- .extra2 = &max_read_thresh,
+- },
+- {
+ .procname = "write_wakeup_threshold",
+ .data = &random_write_wakeup_bits,
+ .maxlen = sizeof(int),
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Mon, 7 Feb 2022 23:37:13 +0100
+Subject: random: remove outdated INT_MAX >> 6 check in urandom_read()
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 434537ae54ad37e93555de21b6ac8133d6d773a9 upstream.
+
+In 79a8468747c5 ("random: check for increase of entropy_count because of
+signed conversion"), a number of checks were added around what values
+were passed to account(), because account() was doing fancy fixed point
+fractional arithmetic, and a user had some ability to pass large values
+directly into it. One of things in that commit was limiting those values
+to INT_MAX >> 6. The first >> 3 was for bytes to bits, and the next >> 3
+was for bits to 1/8 fractional bits.
+
+However, for several years now, urandom reads no longer touch entropy
+accounting, and so this check serves no purpose. The current flow is:
+
+urandom_read_nowarn()-->get_random_bytes_user()-->chacha20_block()
+
+Of course, we don't want that size_t to be truncated when adding it into
+the ssize_t. But we arrive at urandom_read_nowarn() in the first place
+either via ordinary fops, which limits reads to MAX_RW_COUNT, or via
+getrandom() which limits reads to INT_MAX.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Jann Horn <jannh@google.com>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1284,9 +1284,8 @@ void rand_initialize_disk(struct gendisk
+ static ssize_t urandom_read_nowarn(struct file *file, char __user *buf,
+ size_t nbytes, loff_t *ppos)
+ {
+- int ret;
++ ssize_t ret;
+
+- nbytes = min_t(size_t, nbytes, INT_MAX >> 6);
+ ret = get_random_bytes_user(buf, nbytes);
+ trace_urandom_read(nbytes, input_pool.entropy_count);
+ return ret;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Ingo Molnar <mingo@elte.hu>
+Date: Sun, 22 Jul 2018 10:51:50 -0400
+Subject: random: remove preempt disabled region
+
+From: Ingo Molnar <mingo@elte.hu>
+
+commit b34fbaa9289328c7aec67d2b8b8b7d02bc61c67d upstream.
+
+No need to keep preemption disabled across the whole function.
+
+mix_pool_bytes() uses a spin_lock() to protect the pool and there are
+other places like write_pool() whhich invoke mix_pool_bytes() without
+disabling preemption.
+credit_entropy_bits() is invoked from other places like
+add_hwgenerator_randomness() without disabling preemption.
+
+Before commit 95b709b6be49 ("random: drop trickle mode") the function
+used __this_cpu_inc_return() which would require disabled preemption.
+The preempt_disable() section was added in commit 43d5d3018c37 ("[PATCH]
+random driver preempt robustness", history tree). It was claimed that
+the code relied on "vt_ioctl() being called under BKL".
+
+Cc: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+[bigeasy: enhance the commit message]
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1136,8 +1136,6 @@ static void add_timer_randomness(struct
+ } sample;
+ long delta, delta2, delta3;
+
+- preempt_disable();
+-
+ sample.jiffies = jiffies;
+ sample.cycles = random_get_entropy();
+ sample.num = num;
+@@ -1175,8 +1173,6 @@ static void add_timer_randomness(struct
+ * and limit entropy entimate to 12 bits.
+ */
+ credit_entropy_bits(r, min_t(int, fls(delta>>1), 11));
+-
+- preempt_enable();
+ }
+
+ void add_input_randomness(unsigned int type, unsigned int code,
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Mon, 9 May 2022 16:13:18 +0200
+Subject: random: remove ratelimiting for in-kernel unseeded randomness
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit cc1e127bfa95b5fb2f9307e7168bf8b2b45b4c5e upstream.
+
+The CONFIG_WARN_ALL_UNSEEDED_RANDOM debug option controls whether the
+kernel warns about all unseeded randomness or just the first instance.
+There's some complicated rate limiting and comparison to the previous
+caller, such that even with CONFIG_WARN_ALL_UNSEEDED_RANDOM enabled,
+developers still don't see all the messages or even an accurate count of
+how many were missed. This is the result of basically parallel
+mechanisms aimed at accomplishing more or less the same thing, added at
+different points in random.c history, which sort of compete with the
+first-instance-only limiting we have now.
+
+It turns out, however, that nobody cares about the first unseeded
+randomness instance of in-kernel users. The same first user has been
+there for ages now, and nobody is doing anything about it. It isn't even
+clear that anybody _can_ do anything about it. Most places that can do
+something about it have switched over to using get_random_bytes_wait()
+or wait_for_random_bytes(), which is the right thing to do, but there is
+still much code that needs randomness sometimes during init, and as a
+geeneral rule, if you're not using one of the _wait functions or the
+readiness notifier callback, you're bound to be doing it wrong just
+based on that fact alone.
+
+So warning about this same first user that can't easily change is simply
+not an effective mechanism for anything at all. Users can't do anything
+about it, as the Kconfig text points out -- the problem isn't in
+userspace code -- and kernel developers don't or more often can't react
+to it.
+
+Instead, show the warning for all instances when CONFIG_WARN_ALL_UNSEEDED_RANDOM
+is set, so that developers can debug things need be, or if it isn't set,
+don't show a warning at all.
+
+At the same time, CONFIG_WARN_ALL_UNSEEDED_RANDOM now implies setting
+random.ratelimit_disable=1 on by default, since if you care about one
+you probably care about the other too. And we can clean up usage around
+the related urandom_warning ratelimiter as well (whose behavior isn't
+changing), so that it properly counts missed messages after the 10
+message threshold is reached.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 61 ++++++++++++++------------------------------------
+ lib/Kconfig.debug | 5 +---
+ 2 files changed, 20 insertions(+), 46 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -86,11 +86,10 @@ static DEFINE_SPINLOCK(random_ready_chai
+ static RAW_NOTIFIER_HEAD(random_ready_chain);
+
+ /* Control how we warn userspace. */
+-static struct ratelimit_state unseeded_warning =
+- RATELIMIT_STATE_INIT("warn_unseeded_randomness", HZ, 3);
+ static struct ratelimit_state urandom_warning =
+ RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3);
+-static int ratelimit_disable __read_mostly;
++static int ratelimit_disable __read_mostly =
++ IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM);
+ module_param_named(ratelimit_disable, ratelimit_disable, int, 0644);
+ MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression");
+
+@@ -183,27 +182,15 @@ static void process_random_ready_list(vo
+ spin_unlock_irqrestore(&random_ready_chain_lock, flags);
+ }
+
+-#define warn_unseeded_randomness(previous) \
+- _warn_unseeded_randomness(__func__, (void *)_RET_IP_, (previous))
++#define warn_unseeded_randomness() \
++ _warn_unseeded_randomness(__func__, (void *)_RET_IP_)
+
+-static void _warn_unseeded_randomness(const char *func_name, void *caller, void **previous)
++static void _warn_unseeded_randomness(const char *func_name, void *caller)
+ {
+-#ifdef CONFIG_WARN_ALL_UNSEEDED_RANDOM
+- const bool print_once = false;
+-#else
+- static bool print_once __read_mostly;
+-#endif
+-
+- if (print_once || crng_ready() ||
+- (previous && (caller == READ_ONCE(*previous))))
++ if (!IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM) || crng_ready())
+ return;
+- WRITE_ONCE(*previous, caller);
+-#ifndef CONFIG_WARN_ALL_UNSEEDED_RANDOM
+- print_once = true;
+-#endif
+- if (__ratelimit(&unseeded_warning))
+- printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n",
+- func_name, caller, crng_init);
++ printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n",
++ func_name, caller, crng_init);
+ }
+
+
+@@ -454,9 +441,7 @@ static void _get_random_bytes(void *buf,
+ */
+ void get_random_bytes(void *buf, size_t nbytes)
+ {
+- static void *previous;
+-
+- warn_unseeded_randomness(&previous);
++ warn_unseeded_randomness();
+ _get_random_bytes(buf, nbytes);
+ }
+ EXPORT_SYMBOL(get_random_bytes);
+@@ -550,10 +535,9 @@ u64 get_random_u64(void)
+ u64 ret;
+ unsigned long flags;
+ struct batched_entropy *batch;
+- static void *previous;
+ unsigned long next_gen;
+
+- warn_unseeded_randomness(&previous);
++ warn_unseeded_randomness();
+
+ if (!crng_ready()) {
+ _get_random_bytes(&ret, sizeof(ret));
+@@ -588,10 +572,9 @@ u32 get_random_u32(void)
+ u32 ret;
+ unsigned long flags;
+ struct batched_entropy *batch;
+- static void *previous;
+ unsigned long next_gen;
+
+- warn_unseeded_randomness(&previous);
++ warn_unseeded_randomness();
+
+ if (!crng_ready()) {
+ _get_random_bytes(&ret, sizeof(ret));
+@@ -818,16 +801,9 @@ static void credit_init_bits(size_t nbit
+ wake_up_interruptible(&crng_init_wait);
+ kill_fasync(&fasync, SIGIO, POLL_IN);
+ pr_notice("crng init done\n");
+- if (unseeded_warning.missed) {
+- pr_notice("%d get_random_xx warning(s) missed due to ratelimiting\n",
+- unseeded_warning.missed);
+- unseeded_warning.missed = 0;
+- }
+- if (urandom_warning.missed) {
++ if (urandom_warning.missed)
+ pr_notice("%d urandom warning(s) missed due to ratelimiting\n",
+ urandom_warning.missed);
+- urandom_warning.missed = 0;
+- }
+ } else if (orig < POOL_EARLY_BITS && new >= POOL_EARLY_BITS) {
+ spin_lock_irqsave(&base_crng.lock, flags);
+ /* Check if crng_init is CRNG_EMPTY, to avoid race with crng_reseed(). */
+@@ -940,10 +916,6 @@ int __init rand_initialize(void)
+ else if (arch_init && trust_cpu)
+ credit_init_bits(BLAKE2S_BLOCK_SIZE * 8);
+
+- if (ratelimit_disable) {
+- urandom_warning.interval = 0;
+- unseeded_warning.interval = 0;
+- }
+ return 0;
+ }
+
+@@ -1389,11 +1361,14 @@ static ssize_t urandom_read(struct file
+ {
+ static int maxwarn = 10;
+
+- if (!crng_ready() && maxwarn > 0) {
+- maxwarn--;
+- if (__ratelimit(&urandom_warning))
++ if (!crng_ready()) {
++ if (!ratelimit_disable && maxwarn <= 0)
++ ++urandom_warning.missed;
++ else if (ratelimit_disable || __ratelimit(&urandom_warning)) {
++ --maxwarn;
+ pr_notice("%s: uninitialized urandom read (%zd bytes read)\n",
+ current->comm, nbytes);
++ }
+ }
+
+ return get_random_bytes_user(buf, nbytes);
+--- a/lib/Kconfig.debug
++++ b/lib/Kconfig.debug
+@@ -1267,9 +1267,8 @@ config WARN_ALL_UNSEEDED_RANDOM
+ time. This is really bad from a security perspective, and
+ so architecture maintainers really need to do what they can
+ to get the CRNG seeded sooner after the system is booted.
+- However, since users can not do anything actionble to
+- address this, by default the kernel will issue only a single
+- warning for the first use of unseeded randomness.
++ However, since users cannot do anything actionable to
++ address this, by default this option is disabled.
+
+ Say Y here if you want to receive warnings for all uses of
+ unseeded randomness. This will be of use primarily for
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Tue, 7 Jan 2020 16:56:11 -0500
+Subject: random: remove some dead code of poolinfo
+
+From: Yangtao Li <tiny.windzz@gmail.com>
+
+commit 09a6d00a42ce0e63e2a15be3d070974bcc656ec7 upstream.
+
+Since it is not being used, so delete it.
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Link: https://lore.kernel.org/r/20190607182517.28266-5-tiny.windzz@gmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 30 ------------------------------
+ 1 file changed, 30 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -431,36 +431,6 @@ static const struct poolinfo {
+ /* was: x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 */
+ /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */
+ { S(128), 104, 76, 51, 25, 1 },
+- /* was: x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 */
+- /* x^32 + x^26 + x^19 + x^14 + x^7 + x + 1 */
+- { S(32), 26, 19, 14, 7, 1 },
+-#if 0
+- /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
+- { S(2048), 1638, 1231, 819, 411, 1 },
+-
+- /* x^1024 + x^817 + x^615 + x^412 + x^204 + x + 1 -- 290 */
+- { S(1024), 817, 615, 412, 204, 1 },
+-
+- /* x^1024 + x^819 + x^616 + x^410 + x^207 + x^2 + 1 -- 115 */
+- { S(1024), 819, 616, 410, 207, 2 },
+-
+- /* x^512 + x^411 + x^308 + x^208 + x^104 + x + 1 -- 225 */
+- { S(512), 411, 308, 208, 104, 1 },
+-
+- /* x^512 + x^409 + x^307 + x^206 + x^102 + x^2 + 1 -- 95 */
+- { S(512), 409, 307, 206, 102, 2 },
+- /* x^512 + x^409 + x^309 + x^205 + x^103 + x^2 + 1 -- 95 */
+- { S(512), 409, 309, 205, 103, 2 },
+-
+- /* x^256 + x^205 + x^155 + x^101 + x^52 + x + 1 -- 125 */
+- { S(256), 205, 155, 101, 52, 1 },
+-
+- /* x^128 + x^103 + x^78 + x^51 + x^27 + x^2 + 1 -- 70 */
+- { S(128), 103, 78, 51, 27, 2 },
+-
+- /* x^64 + x^52 + x^39 + x^26 + x^14 + x + 1 -- 15 */
+- { S(64), 52, 39, 26, 14, 1 },
+-#endif
+ };
+
+ /*
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Andy Lutomirski <luto@kernel.org>
+Date: Mon, 23 Dec 2019 00:20:49 -0800
+Subject: random: remove the blocking pool
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 90ea1c6436d26e62496616fb5891e00819ff4849 upstream.
+
+There is no longer any interface to read data from the blocking
+pool, so remove it.
+
+This enables quite a bit of code deletion, much of which will be
+done in subsequent patches.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Link: https://lore.kernel.org/r/511225a224bf0a291149d3c0b8b45393cd03ab96.1577088521.git.luto@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 106 --------------------------------------------------
+ 1 file changed, 106 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -470,7 +470,6 @@ static const struct poolinfo {
+ /*
+ * Static global variables
+ */
+-static DECLARE_WAIT_QUEUE_HEAD(random_read_wait);
+ static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
+ static struct fasync_struct *fasync;
+
+@@ -532,7 +531,6 @@ struct entropy_store {
+ __u32 *pool;
+ const char *name;
+ struct entropy_store *pull;
+- struct work_struct push_work;
+
+ /* read-write data: */
+ unsigned long last_pulled;
+@@ -551,9 +549,7 @@ static ssize_t _extract_entropy(struct e
+ size_t nbytes, int fips);
+
+ static void crng_reseed(struct crng_state *crng, struct entropy_store *r);
+-static void push_to_pool(struct work_struct *work);
+ static __u32 input_pool_data[INPUT_POOL_WORDS] __latent_entropy;
+-static __u32 blocking_pool_data[OUTPUT_POOL_WORDS] __latent_entropy;
+
+ static struct entropy_store input_pool = {
+ .poolinfo = &poolinfo_table[0],
+@@ -562,16 +558,6 @@ static struct entropy_store input_pool =
+ .pool = input_pool_data
+ };
+
+-static struct entropy_store blocking_pool = {
+- .poolinfo = &poolinfo_table[1],
+- .name = "blocking",
+- .pull = &input_pool,
+- .lock = __SPIN_LOCK_UNLOCKED(blocking_pool.lock),
+- .pool = blocking_pool_data,
+- .push_work = __WORK_INITIALIZER(blocking_pool.push_work,
+- push_to_pool),
+-};
+-
+ static __u32 const twist_table[8] = {
+ 0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
+ 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };
+@@ -767,15 +753,11 @@ retry:
+ entropy_count = 0;
+ } else if (entropy_count > pool_size)
+ entropy_count = pool_size;
+- if ((r == &blocking_pool) && !r->initialized &&
+- (entropy_count >> ENTROPY_SHIFT) > 128)
+- has_initialized = 1;
+ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
+ goto retry;
+
+ if (has_initialized) {
+ r->initialized = 1;
+- wake_up_interruptible(&random_read_wait);
+ kill_fasync(&fasync, SIGIO, POLL_IN);
+ }
+
+@@ -784,7 +766,6 @@ retry:
+
+ if (r == &input_pool) {
+ int entropy_bits = entropy_count >> ENTROPY_SHIFT;
+- struct entropy_store *other = &blocking_pool;
+
+ if (crng_init < 2) {
+ if (entropy_bits < 128)
+@@ -792,27 +773,6 @@ retry:
+ crng_reseed(&primary_crng, r);
+ entropy_bits = r->entropy_count >> ENTROPY_SHIFT;
+ }
+-
+- /* initialize the blocking pool if necessary */
+- if (entropy_bits >= random_read_wakeup_bits &&
+- !other->initialized) {
+- schedule_work(&other->push_work);
+- return;
+- }
+-
+- /* should we wake readers? */
+- if (entropy_bits >= random_read_wakeup_bits &&
+- wq_has_sleeper(&random_read_wait)) {
+- wake_up_interruptible(&random_read_wait);
+- }
+- /* If the input pool is getting full, and the blocking
+- * pool has room, send some entropy to the blocking
+- * pool.
+- */
+- if (!work_pending(&other->push_work) &&
+- (ENTROPY_BITS(r) > 6 * r->poolinfo->poolbytes) &&
+- (ENTROPY_BITS(other) <= 6 * other->poolinfo->poolbytes))
+- schedule_work(&other->push_work);
+ }
+ }
+
+@@ -1439,22 +1399,6 @@ static void _xfer_secondary_pool(struct
+ }
+
+ /*
+- * Used as a workqueue function so that when the input pool is getting
+- * full, we can "spill over" some entropy to the output pools. That
+- * way the output pools can store some of the excess entropy instead
+- * of letting it go to waste.
+- */
+-static void push_to_pool(struct work_struct *work)
+-{
+- struct entropy_store *r = container_of(work, struct entropy_store,
+- push_work);
+- BUG_ON(!r);
+- _xfer_secondary_pool(r, random_read_wakeup_bits/8);
+- trace_push_to_pool(r->name, r->entropy_count >> ENTROPY_SHIFT,
+- r->pull->entropy_count >> ENTROPY_SHIFT);
+-}
+-
+-/*
+ * This function decides how many bytes to actually take from the
+ * given pool, and also debits the entropy count accordingly.
+ */
+@@ -1632,54 +1576,6 @@ static ssize_t extract_entropy(struct en
+ return _extract_entropy(r, buf, nbytes, fips_enabled);
+ }
+
+-/*
+- * This function extracts randomness from the "entropy pool", and
+- * returns it in a userspace buffer.
+- */
+-static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+- size_t nbytes)
+-{
+- ssize_t ret = 0, i;
+- __u8 tmp[EXTRACT_SIZE];
+- int large_request = (nbytes > 256);
+-
+- trace_extract_entropy_user(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_);
+- if (!r->initialized && r->pull) {
+- xfer_secondary_pool(r, ENTROPY_BITS(r->pull)/8);
+- if (!r->initialized)
+- return 0;
+- }
+- xfer_secondary_pool(r, nbytes);
+- nbytes = account(r, nbytes, 0, 0);
+-
+- while (nbytes) {
+- if (large_request && need_resched()) {
+- if (signal_pending(current)) {
+- if (ret == 0)
+- ret = -ERESTARTSYS;
+- break;
+- }
+- schedule();
+- }
+-
+- extract_buf(r, tmp);
+- i = min_t(int, nbytes, EXTRACT_SIZE);
+- if (copy_to_user(buf, tmp, i)) {
+- ret = -EFAULT;
+- break;
+- }
+-
+- nbytes -= i;
+- buf += i;
+- ret += i;
+- }
+-
+- /* Wipe data just returned from memory */
+- memzero_explicit(tmp, sizeof(tmp));
+-
+- return ret;
+-}
+-
+ #define warn_unseeded_randomness(previous) \
+ _warn_unseeded_randomness(__func__, (void *) _RET_IP_, (previous))
+
+@@ -1910,7 +1806,6 @@ static void __init init_std_data(struct
+ int __init rand_initialize(void)
+ {
+ init_std_data(&input_pool);
+- init_std_data(&blocking_pool);
+ if (crng_need_final_init)
+ crng_finalize_init(&primary_crng);
+ crng_initialize(&primary_crng);
+@@ -2081,7 +1976,6 @@ static long random_ioctl(struct file *f,
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+ input_pool.entropy_count = 0;
+- blocking_pool.entropy_count = 0;
+ return 0;
+ case RNDRESEEDCRNG:
+ if (!capable(CAP_SYS_ADMIN))
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Tue, 7 Jan 2020 16:10:28 -0500
+Subject: random: remove unnecessary unlikely()
+
+From: Yangtao Li <tiny.windzz@gmail.com>
+
+commit 870e05b1b18814911cb2703a977f447cb974f0f9 upstream.
+
+WARN_ON() already contains an unlikely(), so it's not necessary to use
+unlikely.
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Link: https://lore.kernel.org/r/20190607182517.28266-1-tiny.windzz@gmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -738,10 +738,9 @@ retry:
+ } while (unlikely(entropy_count < pool_size-2 && pnfrac));
+ }
+
+- if (unlikely(entropy_count < 0)) {
++ if (WARN_ON(entropy_count < 0)) {
+ pr_warn("random: negative entropy/overflow: pool %s count %d\n",
+ r->name, entropy_count);
+- WARN_ON(1);
+ entropy_count = 0;
+ } else if (entropy_count > pool_size)
+ entropy_count = pool_size;
+@@ -1380,10 +1379,9 @@ retry:
+ if (ibytes < min)
+ ibytes = 0;
+
+- if (unlikely(entropy_count < 0)) {
++ if (WARN_ON(entropy_count < 0)) {
+ pr_warn("random: negative entropy count: pool %s count %d\n",
+ r->name, entropy_count);
+- WARN_ON(1);
+ entropy_count = 0;
+ }
+ nfrac = ibytes << (ENTROPY_SHIFT + 3);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 12 Jan 2022 15:28:21 +0100
+Subject: random: remove unused extract_entropy() reserved argument
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 8b2d953b91e7f60200c24067ab17b77cc7bfd0d4 upstream.
+
+This argument is always set to zero, as a result of us not caring about
+keeping a certain amount reserved in the pool these days. So just remove
+it and cleanup the function signatures.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 17 +++++++----------
+ 1 file changed, 7 insertions(+), 10 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -519,7 +519,7 @@ struct entropy_store {
+ };
+
+ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+- size_t nbytes, int min, int rsvd);
++ size_t nbytes, int min);
+ static ssize_t _extract_entropy(struct entropy_store *r, void *buf,
+ size_t nbytes);
+
+@@ -988,7 +988,7 @@ static void crng_reseed(struct crng_stat
+ } buf;
+
+ if (r) {
+- num = extract_entropy(r, &buf, 32, 16, 0);
++ num = extract_entropy(r, &buf, 32, 16);
+ if (num == 0)
+ return;
+ } else {
+@@ -1326,8 +1326,7 @@ EXPORT_SYMBOL_GPL(add_disk_randomness);
+ * This function decides how many bytes to actually take from the
+ * given pool, and also debits the entropy count accordingly.
+ */
+-static size_t account(struct entropy_store *r, size_t nbytes, int min,
+- int reserved)
++static size_t account(struct entropy_store *r, size_t nbytes, int min)
+ {
+ int entropy_count, orig, have_bytes;
+ size_t ibytes, nfrac;
+@@ -1341,7 +1340,7 @@ retry:
+ /* never pull more than available */
+ have_bytes = entropy_count >> (ENTROPY_SHIFT + 3);
+
+- if ((have_bytes -= reserved) < 0)
++ if (have_bytes < 0)
+ have_bytes = 0;
+ ibytes = min_t(size_t, ibytes, have_bytes);
+ if (ibytes < min)
+@@ -1447,15 +1446,13 @@ static ssize_t _extract_entropy(struct e
+ * returns it in a buffer.
+ *
+ * The min parameter specifies the minimum amount we can pull before
+- * failing to avoid races that defeat catastrophic reseeding while the
+- * reserved parameter indicates how much entropy we must leave in the
+- * pool after each pull to avoid starving other readers.
++ * failing to avoid races that defeat catastrophic reseeding.
+ */
+ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+- size_t nbytes, int min, int reserved)
++ size_t nbytes, int min)
+ {
+ trace_extract_entropy(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_);
+- nbytes = account(r, nbytes, min, reserved);
++ nbytes = account(r, nbytes, min);
+ return _extract_entropy(r, buf, nbytes);
+ }
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Tue, 7 Dec 2021 13:17:33 +0100
+Subject: random: remove unused irq_flags argument from add_interrupt_randomness()
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+commit 703f7066f40599c290babdb79dd61319264987e9 upstream.
+
+Since commit
+ ee3e00e9e7101 ("random: use registers from interrupted code for CPU's w/o a cycle counter")
+
+the irq_flags argument is no longer used.
+
+Remove unused irq_flags.
+
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Dexuan Cui <decui@microsoft.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Wei Liu <wei.liu@kernel.org>
+Cc: linux-hyperv@vger.kernel.org
+Cc: x86@kernel.org
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Acked-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 4 ++--
+ drivers/hv/vmbus_drv.c | 2 +-
+ include/linux/random.h | 2 +-
+ kernel/irq/handle.c | 2 +-
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -200,7 +200,7 @@
+ * void add_device_randomness(const void *buf, unsigned int size);
+ * void add_input_randomness(unsigned int type, unsigned int code,
+ * unsigned int value);
+- * void add_interrupt_randomness(int irq, int irq_flags);
++ * void add_interrupt_randomness(int irq);
+ * void add_disk_randomness(struct gendisk *disk);
+ * void add_hwgenerator_randomness(const char *buffer, size_t count,
+ * size_t entropy);
+@@ -1271,7 +1271,7 @@ static __u32 get_reg(struct fast_pool *f
+ return *ptr;
+ }
+
+-void add_interrupt_randomness(int irq, int irq_flags)
++void add_interrupt_randomness(int irq)
+ {
+ struct entropy_store *r;
+ struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness);
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -1064,7 +1064,7 @@ static void vmbus_isr(void)
+ tasklet_schedule(&hv_cpu->msg_dpc);
+ }
+
+- add_interrupt_randomness(HYPERVISOR_CALLBACK_VECTOR, 0);
++ add_interrupt_randomness(HYPERVISOR_CALLBACK_VECTOR);
+ }
+
+
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -35,7 +35,7 @@ static inline void add_latent_entropy(vo
+
+ extern void add_input_randomness(unsigned int type, unsigned int code,
+ unsigned int value) __latent_entropy;
+-extern void add_interrupt_randomness(int irq, int irq_flags) __latent_entropy;
++extern void add_interrupt_randomness(int irq) __latent_entropy;
+
+ extern void get_random_bytes(void *buf, int nbytes);
+ extern int wait_for_random_bytes(void);
+--- a/kernel/irq/handle.c
++++ b/kernel/irq/handle.c
+@@ -186,7 +186,7 @@ irqreturn_t handle_irq_event_percpu(stru
+
+ retval = __handle_irq_event_percpu(desc, &flags);
+
+- add_interrupt_randomness(desc->irq_data.irq, flags);
++ add_interrupt_randomness(desc->irq_data.irq);
+
+ if (!noirqdebug)
+ note_interrupt(desc, retval);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 13 Jan 2022 15:51:06 +0100
+Subject: random: remove unused OUTPUT_POOL constants
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 0f63702718c91d89c922081ac1e6baeddc2d8b1a upstream.
+
+We no longer have an output pool. Rather, we have just a wakeup bits
+threshold for /dev/random reads, presumably so that processes don't
+hang. This value, random_write_wakeup_bits, is configurable anyway. So
+all the no longer usefully named OUTPUT_POOL constants were doing was
+setting a reasonable default for random_write_wakeup_bits. This commit
+gets rid of the constants and just puts it all in the default value of
+random_write_wakeup_bits.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -363,8 +363,6 @@
+ */
+ #define INPUT_POOL_SHIFT 12
+ #define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5))
+-#define OUTPUT_POOL_SHIFT 10
+-#define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5))
+ #define EXTRACT_SIZE (BLAKE2S_HASH_SIZE / 2)
+
+ /*
+@@ -382,7 +380,7 @@
+ * should wake up processes which are selecting or polling on write
+ * access to /dev/random.
+ */
+-static int random_write_wakeup_bits = 28 * OUTPUT_POOL_WORDS;
++static int random_write_wakeup_bits = 28 * (1 << 5);
+
+ /*
+ * Originally, we used a primitive polynomial of degree .poolwords
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 10 Feb 2022 16:40:44 +0100
+Subject: random: remove unused tracepoints
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 14c174633f349cb41ea90c2c0aaddac157012f74 upstream.
+
+These explicit tracepoints aren't really used and show sign of aging.
+It's work to keep these up to date, and before I attempted to keep them
+up to date, they weren't up to date, which indicates that they're not
+really used. These days there are better ways of introspecting anyway.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 30 ------
+ include/trace/events/random.h | 195 ------------------------------------------
+ lib/random32.c | 2
+ 3 files changed, 5 insertions(+), 222 deletions(-)
+ delete mode 100644 include/trace/events/random.h
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -237,9 +237,6 @@
+ #include <asm/irq_regs.h>
+ #include <asm/io.h>
+
+-#define CREATE_TRACE_POINTS
+-#include <trace/events/random.h>
+-
+ enum {
+ POOL_BITS = BLAKE2S_HASH_SIZE * 8,
+ POOL_MIN_BITS = POOL_BITS /* No point in settling for less. */
+@@ -315,7 +312,6 @@ static void mix_pool_bytes(const void *i
+ {
+ unsigned long flags;
+
+- trace_mix_pool_bytes(nbytes, _RET_IP_);
+ spin_lock_irqsave(&input_pool.lock, flags);
+ _mix_pool_bytes(in, nbytes);
+ spin_unlock_irqrestore(&input_pool.lock, flags);
+@@ -389,8 +385,6 @@ static void credit_entropy_bits(size_t n
+ entropy_count = min_t(unsigned int, POOL_BITS, orig + add);
+ } while (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig);
+
+- trace_credit_entropy_bits(nbits, entropy_count, _RET_IP_);
+-
+ if (crng_init < 2 && entropy_count >= POOL_MIN_BITS)
+ crng_reseed();
+ }
+@@ -719,7 +713,6 @@ void add_device_randomness(const void *b
+ if (!crng_ready() && size)
+ crng_slow_load(buf, size);
+
+- trace_add_device_randomness(size, _RET_IP_);
+ spin_lock_irqsave(&input_pool.lock, flags);
+ _mix_pool_bytes(buf, size);
+ _mix_pool_bytes(&time, sizeof(time));
+@@ -798,7 +791,6 @@ void add_input_randomness(unsigned int t
+ last_value = value;
+ add_timer_randomness(&input_timer_state,
+ (type << 4) ^ code ^ (code >> 4) ^ value);
+- trace_add_input_randomness(input_pool.entropy_count);
+ }
+ EXPORT_SYMBOL_GPL(add_input_randomness);
+
+@@ -878,7 +870,6 @@ void add_disk_randomness(struct gendisk
+ return;
+ /* first major is 1, so we get >= 0x200 here */
+ add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
+- trace_add_disk_randomness(disk_devt(disk), input_pool.entropy_count);
+ }
+ EXPORT_SYMBOL_GPL(add_disk_randomness);
+ #endif
+@@ -903,8 +894,6 @@ static void extract_entropy(void *buf, s
+ } block;
+ size_t i;
+
+- trace_extract_entropy(nbytes, input_pool.entropy_count);
+-
+ for (i = 0; i < ARRAY_SIZE(block.rdseed); ++i) {
+ if (!arch_get_random_seed_long(&block.rdseed[i]) &&
+ !arch_get_random_long(&block.rdseed[i]))
+@@ -976,8 +965,6 @@ static void _get_random_bytes(void *buf,
+ u8 tmp[CHACHA20_BLOCK_SIZE];
+ size_t len;
+
+- trace_get_random_bytes(nbytes, _RET_IP_);
+-
+ if (!nbytes)
+ return;
+
+@@ -1174,7 +1161,6 @@ size_t __must_check get_random_bytes_arc
+ size_t left = nbytes;
+ u8 *p = buf;
+
+- trace_get_random_bytes_arch(left, _RET_IP_);
+ while (left) {
+ unsigned long v;
+ size_t chunk = min_t(size_t, left, sizeof(unsigned long));
+@@ -1258,16 +1244,6 @@ void rand_initialize_disk(struct gendisk
+ }
+ #endif
+
+-static ssize_t urandom_read_nowarn(struct file *file, char __user *buf,
+- size_t nbytes, loff_t *ppos)
+-{
+- ssize_t ret;
+-
+- ret = get_random_bytes_user(buf, nbytes);
+- trace_urandom_read(nbytes, input_pool.entropy_count);
+- return ret;
+-}
+-
+ static ssize_t urandom_read(struct file *file, char __user *buf, size_t nbytes,
+ loff_t *ppos)
+ {
+@@ -1280,7 +1256,7 @@ static ssize_t urandom_read(struct file
+ current->comm, nbytes);
+ }
+
+- return urandom_read_nowarn(file, buf, nbytes, ppos);
++ return get_random_bytes_user(buf, nbytes);
+ }
+
+ static ssize_t random_read(struct file *file, char __user *buf, size_t nbytes,
+@@ -1291,7 +1267,7 @@ static ssize_t random_read(struct file *
+ ret = wait_for_random_bytes();
+ if (ret != 0)
+ return ret;
+- return urandom_read_nowarn(file, buf, nbytes, ppos);
++ return get_random_bytes_user(buf, nbytes);
+ }
+
+ static unsigned int random_poll(struct file *file, poll_table *wait)
+@@ -1450,7 +1426,7 @@ SYSCALL_DEFINE3(getrandom, char __user *
+ if (unlikely(ret))
+ return ret;
+ }
+- return urandom_read_nowarn(NULL, buf, count, NULL);
++ return get_random_bytes_user(buf, count);
+ }
+
+ /********************************************************************
+--- a/include/trace/events/random.h
++++ /dev/null
+@@ -1,195 +0,0 @@
+-/* SPDX-License-Identifier: GPL-2.0 */
+-#undef TRACE_SYSTEM
+-#define TRACE_SYSTEM random
+-
+-#if !defined(_TRACE_RANDOM_H) || defined(TRACE_HEADER_MULTI_READ)
+-#define _TRACE_RANDOM_H
+-
+-#include <linux/writeback.h>
+-#include <linux/tracepoint.h>
+-
+-TRACE_EVENT(add_device_randomness,
+- TP_PROTO(size_t bytes, unsigned long IP),
+-
+- TP_ARGS(bytes, IP),
+-
+- TP_STRUCT__entry(
+- __field(size_t, bytes )
+- __field(unsigned long, IP )
+- ),
+-
+- TP_fast_assign(
+- __entry->bytes = bytes;
+- __entry->IP = IP;
+- ),
+-
+- TP_printk("bytes %zu caller %pS",
+- __entry->bytes, (void *)__entry->IP)
+-);
+-
+-DECLARE_EVENT_CLASS(random__mix_pool_bytes,
+- TP_PROTO(size_t bytes, unsigned long IP),
+-
+- TP_ARGS(bytes, IP),
+-
+- TP_STRUCT__entry(
+- __field(size_t, bytes )
+- __field(unsigned long, IP )
+- ),
+-
+- TP_fast_assign(
+- __entry->bytes = bytes;
+- __entry->IP = IP;
+- ),
+-
+- TP_printk("input pool: bytes %zu caller %pS",
+- __entry->bytes, (void *)__entry->IP)
+-);
+-
+-DEFINE_EVENT(random__mix_pool_bytes, mix_pool_bytes,
+- TP_PROTO(size_t bytes, unsigned long IP),
+-
+- TP_ARGS(bytes, IP)
+-);
+-
+-DEFINE_EVENT(random__mix_pool_bytes, mix_pool_bytes_nolock,
+- TP_PROTO(int bytes, unsigned long IP),
+-
+- TP_ARGS(bytes, IP)
+-);
+-
+-TRACE_EVENT(credit_entropy_bits,
+- TP_PROTO(size_t bits, size_t entropy_count, unsigned long IP),
+-
+- TP_ARGS(bits, entropy_count, IP),
+-
+- TP_STRUCT__entry(
+- __field(size_t, bits )
+- __field(size_t, entropy_count )
+- __field(unsigned long, IP )
+- ),
+-
+- TP_fast_assign(
+- __entry->bits = bits;
+- __entry->entropy_count = entropy_count;
+- __entry->IP = IP;
+- ),
+-
+- TP_printk("input pool: bits %zu entropy_count %zu caller %pS",
+- __entry->bits, __entry->entropy_count, (void *)__entry->IP)
+-);
+-
+-TRACE_EVENT(add_input_randomness,
+- TP_PROTO(size_t input_bits),
+-
+- TP_ARGS(input_bits),
+-
+- TP_STRUCT__entry(
+- __field(size_t, input_bits )
+- ),
+-
+- TP_fast_assign(
+- __entry->input_bits = input_bits;
+- ),
+-
+- TP_printk("input_pool_bits %zu", __entry->input_bits)
+-);
+-
+-TRACE_EVENT(add_disk_randomness,
+- TP_PROTO(dev_t dev, size_t input_bits),
+-
+- TP_ARGS(dev, input_bits),
+-
+- TP_STRUCT__entry(
+- __field(dev_t, dev )
+- __field(size_t, input_bits )
+- ),
+-
+- TP_fast_assign(
+- __entry->dev = dev;
+- __entry->input_bits = input_bits;
+- ),
+-
+- TP_printk("dev %d,%d input_pool_bits %zu", MAJOR(__entry->dev),
+- MINOR(__entry->dev), __entry->input_bits)
+-);
+-
+-DECLARE_EVENT_CLASS(random__get_random_bytes,
+- TP_PROTO(size_t nbytes, unsigned long IP),
+-
+- TP_ARGS(nbytes, IP),
+-
+- TP_STRUCT__entry(
+- __field(size_t, nbytes )
+- __field(unsigned long, IP )
+- ),
+-
+- TP_fast_assign(
+- __entry->nbytes = nbytes;
+- __entry->IP = IP;
+- ),
+-
+- TP_printk("nbytes %zu caller %pS", __entry->nbytes, (void *)__entry->IP)
+-);
+-
+-DEFINE_EVENT(random__get_random_bytes, get_random_bytes,
+- TP_PROTO(size_t nbytes, unsigned long IP),
+-
+- TP_ARGS(nbytes, IP)
+-);
+-
+-DEFINE_EVENT(random__get_random_bytes, get_random_bytes_arch,
+- TP_PROTO(size_t nbytes, unsigned long IP),
+-
+- TP_ARGS(nbytes, IP)
+-);
+-
+-DECLARE_EVENT_CLASS(random__extract_entropy,
+- TP_PROTO(size_t nbytes, size_t entropy_count),
+-
+- TP_ARGS(nbytes, entropy_count),
+-
+- TP_STRUCT__entry(
+- __field( size_t, nbytes )
+- __field( size_t, entropy_count )
+- ),
+-
+- TP_fast_assign(
+- __entry->nbytes = nbytes;
+- __entry->entropy_count = entropy_count;
+- ),
+-
+- TP_printk("input pool: nbytes %zu entropy_count %zu",
+- __entry->nbytes, __entry->entropy_count)
+-);
+-
+-
+-DEFINE_EVENT(random__extract_entropy, extract_entropy,
+- TP_PROTO(size_t nbytes, size_t entropy_count),
+-
+- TP_ARGS(nbytes, entropy_count)
+-);
+-
+-TRACE_EVENT(urandom_read,
+- TP_PROTO(size_t nbytes, size_t entropy_count),
+-
+- TP_ARGS(nbytes, entropy_count),
+-
+- TP_STRUCT__entry(
+- __field( size_t, nbytes )
+- __field( size_t, entropy_count )
+- ),
+-
+- TP_fast_assign(
+- __entry->nbytes = nbytes;
+- __entry->entropy_count = entropy_count;
+- ),
+-
+- TP_printk("reading: nbytes %zu entropy_count %zu",
+- __entry->nbytes, __entry->entropy_count)
+-);
+-
+-#endif /* _TRACE_RANDOM_H */
+-
+-/* This part must be outside protection */
+-#include <trace/define_trace.h>
+--- a/lib/random32.c
++++ b/lib/random32.c
+@@ -38,6 +38,8 @@
+ #include <linux/jiffies.h>
+ #include <linux/random.h>
+ #include <linux/sched.h>
++#include <linux/bitops.h>
++#include <linux/slab.h>
+ #include <asm/unaligned.h>
+
+ /**
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 4 Feb 2022 14:17:33 -0800
+Subject: random: remove use_input_pool parameter from crng_reseed()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 5d58ea3a31cc98b9fa563f6921d3d043bf0103d1 upstream.
+
+The primary_crng is always reseeded from the input_pool, while the NUMA
+crngs are always reseeded from the primary_crng. Remove the redundant
+'use_input_pool' parameter from crng_reseed() and just directly check
+whether the crng is the primary_crng.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -365,7 +365,7 @@ static struct {
+
+ static void extract_entropy(void *buf, size_t nbytes);
+
+-static void crng_reseed(struct crng_state *crng, bool use_input_pool);
++static void crng_reseed(struct crng_state *crng);
+
+ /*
+ * This function adds bytes into the entropy "pool". It does not
+@@ -464,7 +464,7 @@ static void credit_entropy_bits(int nbit
+ trace_credit_entropy_bits(nbits, entropy_count, _RET_IP_);
+
+ if (crng_init < 2 && entropy_count >= POOL_MIN_BITS)
+- crng_reseed(&primary_crng, true);
++ crng_reseed(&primary_crng);
+ }
+
+ /*********************************************************************
+@@ -700,7 +700,7 @@ static int crng_slow_load(const u8 *cp,
+ return 1;
+ }
+
+-static void crng_reseed(struct crng_state *crng, bool use_input_pool)
++static void crng_reseed(struct crng_state *crng)
+ {
+ unsigned long flags;
+ int i;
+@@ -709,7 +709,7 @@ static void crng_reseed(struct crng_stat
+ u32 key[8];
+ } buf;
+
+- if (use_input_pool) {
++ if (crng == &primary_crng) {
+ int entropy_count;
+ do {
+ entropy_count = READ_ONCE(input_pool.entropy_count);
+@@ -747,7 +747,7 @@ static void _extract_crng(struct crng_st
+ init_time = READ_ONCE(crng->init_time);
+ if (time_after(READ_ONCE(crng_global_init_time), init_time) ||
+ time_after(jiffies, init_time + CRNG_RESEED_INTERVAL))
+- crng_reseed(crng, crng == &primary_crng);
++ crng_reseed(crng);
+ }
+ spin_lock_irqsave(&crng->lock, flags);
+ chacha20_block(&crng->state[0], out);
+@@ -1546,7 +1546,7 @@ static long random_ioctl(struct file *f,
+ return -EPERM;
+ if (crng_init < 2)
+ return -ENODATA;
+- crng_reseed(&primary_crng, true);
++ crng_reseed(&primary_crng);
+ WRITE_ONCE(crng_global_init_time, jiffies - 1);
+ return 0;
+ default:
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 11 Feb 2022 12:28:33 +0100
+Subject: random: remove useless header comment
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 6071a6c0fba2d747742cadcbb3ba26ed756ed73b upstream.
+
+This really adds nothing at all useful.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/random.h | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -1,9 +1,5 @@
+ /* SPDX-License-Identifier: GPL-2.0 */
+-/*
+- * include/linux/random.h
+- *
+- * Include file for the random number generator.
+- */
++
+ #ifndef _LINUX_RANDOM_H
+ #define _LINUX_RANDOM_H
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 11 Feb 2022 13:41:41 +0100
+Subject: random: remove whitespace and reorder includes
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 87e7d5abad0cbc9312dea7f889a57d294c1a5fcc upstream.
+
+This is purely cosmetic. Future work involves figuring out which of
+these headers we need and which we don't.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -193,11 +193,10 @@
+ #include <linux/syscalls.h>
+ #include <linux/completion.h>
+ #include <linux/uuid.h>
++#include <linux/uaccess.h>
+ #include <crypto/chacha20.h>
+ #include <crypto/blake2s.h>
+-
+ #include <asm/processor.h>
+-#include <linux/uaccess.h>
+ #include <asm/irq.h>
+ #include <asm/irq_regs.h>
+ #include <asm/io.h>
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 1 Mar 2022 20:03:49 +0100
+Subject: random: replace custom notifier chain with standard one
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 5acd35487dc911541672b3ffc322851769c32a56 upstream.
+
+We previously rolled our own randomness readiness notifier, which only
+has two users in the whole kernel. Replace this with a more standard
+atomic notifier block that serves the same purpose with less code. Also
+unexport the symbols, because no modules use it, only unconditional
+builtins. The only drawback is that it's possible for a notification
+handler returning the "stop" code to prevent further processing, but
+given that there are only two users, and that we're unexporting this
+anyway, that doesn't seem like a significant drawback for the
+simplification we receive here.
+
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+[Jason: for stable, also backported to crypto/drbg.c, not unexporting.]
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/drbg.c | 17 +++++-------
+ drivers/char/random.c | 69 ++++++++++++++-----------------------------------
+ include/crypto/drbg.h | 2 -
+ include/linux/random.h | 10 ++-----
+ lib/random32.c | 13 +++++----
+ 5 files changed, 41 insertions(+), 70 deletions(-)
+
+--- a/crypto/drbg.c
++++ b/crypto/drbg.c
+@@ -1390,12 +1390,13 @@ static int drbg_generate_long(struct drb
+ return 0;
+ }
+
+-static void drbg_schedule_async_seed(struct random_ready_callback *rdy)
++static int drbg_schedule_async_seed(struct notifier_block *nb, unsigned long action, void *data)
+ {
+- struct drbg_state *drbg = container_of(rdy, struct drbg_state,
++ struct drbg_state *drbg = container_of(nb, struct drbg_state,
+ random_ready);
+
+ schedule_work(&drbg->seed_work);
++ return 0;
+ }
+
+ static int drbg_prepare_hrng(struct drbg_state *drbg)
+@@ -1408,10 +1409,8 @@ static int drbg_prepare_hrng(struct drbg
+
+ INIT_WORK(&drbg->seed_work, drbg_async_seed);
+
+- drbg->random_ready.owner = THIS_MODULE;
+- drbg->random_ready.func = drbg_schedule_async_seed;
+-
+- err = add_random_ready_callback(&drbg->random_ready);
++ drbg->random_ready.notifier_call = drbg_schedule_async_seed;
++ err = register_random_ready_notifier(&drbg->random_ready);
+
+ switch (err) {
+ case 0:
+@@ -1422,7 +1421,7 @@ static int drbg_prepare_hrng(struct drbg
+ /* fall through */
+
+ default:
+- drbg->random_ready.func = NULL;
++ drbg->random_ready.notifier_call = NULL;
+ return err;
+ }
+
+@@ -1528,8 +1527,8 @@ free_everything:
+ */
+ static int drbg_uninstantiate(struct drbg_state *drbg)
+ {
+- if (drbg->random_ready.func) {
+- del_random_ready_callback(&drbg->random_ready);
++ if (drbg->random_ready.notifier_call) {
++ unregister_random_ready_notifier(&drbg->random_ready);
+ cancel_work_sync(&drbg->seed_work);
+ crypto_free_rng(drbg->jent);
+ drbg->jent = NULL;
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -83,8 +83,8 @@ static int crng_init = 0;
+ /* Various types of waiters for crng_init->2 transition. */
+ static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
+ static struct fasync_struct *fasync;
+-static DEFINE_SPINLOCK(random_ready_list_lock);
+-static LIST_HEAD(random_ready_list);
++static DEFINE_SPINLOCK(random_ready_chain_lock);
++static RAW_NOTIFIER_HEAD(random_ready_chain);
+
+ /* Control how we warn userspace. */
+ static struct ratelimit_state unseeded_warning =
+@@ -147,72 +147,45 @@ EXPORT_SYMBOL(wait_for_random_bytes);
+ *
+ * returns: 0 if callback is successfully added
+ * -EALREADY if pool is already initialised (callback not called)
+- * -ENOENT if module for callback is not alive
+ */
+-int add_random_ready_callback(struct random_ready_callback *rdy)
++int register_random_ready_notifier(struct notifier_block *nb)
+ {
+- struct module *owner;
+ unsigned long flags;
+- int err = -EALREADY;
++ int ret = -EALREADY;
+
+ if (crng_ready())
+- return err;
++ return ret;
+
+- owner = rdy->owner;
+- if (!try_module_get(owner))
+- return -ENOENT;
+-
+- spin_lock_irqsave(&random_ready_list_lock, flags);
+- if (crng_ready())
+- goto out;
+-
+- owner = NULL;
+-
+- list_add(&rdy->list, &random_ready_list);
+- err = 0;
+-
+-out:
+- spin_unlock_irqrestore(&random_ready_list_lock, flags);
+-
+- module_put(owner);
+-
+- return err;
++ spin_lock_irqsave(&random_ready_chain_lock, flags);
++ if (!crng_ready())
++ ret = raw_notifier_chain_register(&random_ready_chain, nb);
++ spin_unlock_irqrestore(&random_ready_chain_lock, flags);
++ return ret;
+ }
+-EXPORT_SYMBOL(add_random_ready_callback);
++EXPORT_SYMBOL(register_random_ready_notifier);
+
+ /*
+ * Delete a previously registered readiness callback function.
+ */
+-void del_random_ready_callback(struct random_ready_callback *rdy)
++int unregister_random_ready_notifier(struct notifier_block *nb)
+ {
+ unsigned long flags;
+- struct module *owner = NULL;
+-
+- spin_lock_irqsave(&random_ready_list_lock, flags);
+- if (!list_empty(&rdy->list)) {
+- list_del_init(&rdy->list);
+- owner = rdy->owner;
+- }
+- spin_unlock_irqrestore(&random_ready_list_lock, flags);
++ int ret;
+
+- module_put(owner);
++ spin_lock_irqsave(&random_ready_chain_lock, flags);
++ ret = raw_notifier_chain_unregister(&random_ready_chain, nb);
++ spin_unlock_irqrestore(&random_ready_chain_lock, flags);
++ return ret;
+ }
+-EXPORT_SYMBOL(del_random_ready_callback);
++EXPORT_SYMBOL(unregister_random_ready_notifier);
+
+ static void process_random_ready_list(void)
+ {
+ unsigned long flags;
+- struct random_ready_callback *rdy, *tmp;
+
+- spin_lock_irqsave(&random_ready_list_lock, flags);
+- list_for_each_entry_safe(rdy, tmp, &random_ready_list, list) {
+- struct module *owner = rdy->owner;
+-
+- list_del_init(&rdy->list);
+- rdy->func(rdy);
+- module_put(owner);
+- }
+- spin_unlock_irqrestore(&random_ready_list_lock, flags);
++ spin_lock_irqsave(&random_ready_chain_lock, flags);
++ raw_notifier_call_chain(&random_ready_chain, 0, NULL);
++ spin_unlock_irqrestore(&random_ready_chain_lock, flags);
+ }
+
+ #define warn_unseeded_randomness(previous) \
+--- a/include/crypto/drbg.h
++++ b/include/crypto/drbg.h
+@@ -136,7 +136,7 @@ struct drbg_state {
+ const struct drbg_state_ops *d_ops;
+ const struct drbg_core *core;
+ struct drbg_string test_data;
+- struct random_ready_callback random_ready;
++ struct notifier_block random_ready;
+ };
+
+ static inline __u8 drbg_statelen(struct drbg_state *drbg)
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -10,11 +10,7 @@
+
+ #include <uapi/linux/random.h>
+
+-struct random_ready_callback {
+- struct list_head list;
+- void (*func)(struct random_ready_callback *rdy);
+- struct module *owner;
+-};
++struct notifier_block;
+
+ extern void add_device_randomness(const void *, size_t);
+ extern void add_bootloader_randomness(const void *, size_t);
+@@ -39,8 +35,8 @@ extern void get_random_bytes(void *buf,
+ extern int wait_for_random_bytes(void);
+ extern int __init rand_initialize(void);
+ extern bool rng_is_initialized(void);
+-extern int add_random_ready_callback(struct random_ready_callback *rdy);
+-extern void del_random_ready_callback(struct random_ready_callback *rdy);
++extern int register_random_ready_notifier(struct notifier_block *nb);
++extern int unregister_random_ready_notifier(struct notifier_block *nb);
+ extern size_t __must_check get_random_bytes_arch(void *buf, size_t nbytes);
+
+ #ifndef MODULE
+--- a/lib/random32.c
++++ b/lib/random32.c
+@@ -40,6 +40,7 @@
+ #include <linux/sched.h>
+ #include <linux/bitops.h>
+ #include <linux/slab.h>
++#include <linux/notifier.h>
+ #include <asm/unaligned.h>
+
+ /**
+@@ -546,9 +547,11 @@ static void prandom_reseed(unsigned long
+ * To avoid worrying about whether it's safe to delay that interrupt
+ * long enough to seed all CPUs, just schedule an immediate timer event.
+ */
+-static void prandom_timer_start(struct random_ready_callback *unused)
++static int prandom_timer_start(struct notifier_block *nb,
++ unsigned long action, void *data)
+ {
+ mod_timer(&seed_timer, jiffies);
++ return 0;
+ }
+
+ /*
+@@ -557,13 +560,13 @@ static void prandom_timer_start(struct r
+ */
+ static int __init prandom_init_late(void)
+ {
+- static struct random_ready_callback random_ready = {
+- .func = prandom_timer_start
++ static struct notifier_block random_ready = {
++ .notifier_call = prandom_timer_start
+ };
+- int ret = add_random_ready_callback(&random_ready);
++ int ret = register_random_ready_notifier(&random_ready);
+
+ if (ret == -EALREADY) {
+- prandom_timer_start(&random_ready);
++ prandom_timer_start(&random_ready, 0, NULL);
+ ret = 0;
+ }
+ return ret;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 8 Mar 2022 23:32:34 -0700
+Subject: random: reseed more often immediately after booting
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 7a7ff644aeaf071d433caffb3b8ea57354b55bd3 upstream.
+
+In order to chip away at the "premature first" problem, we augment our
+existing entropy accounting with more frequent reseedings at boot.
+
+The idea is that at boot, we're getting entropy from various places, and
+we're not very sure which of early boot entropy is good and which isn't.
+Even when we're crediting the entropy, we're still not totally certain
+that it's any good. Since boot is the one time (aside from a compromise)
+that we have zero entropy, it's important that we shepherd entropy into
+the crng fairly often.
+
+At the same time, we don't want a "premature next" problem, whereby an
+attacker can brute force individual bits of added entropy. In lieu of
+going full-on Fortuna (for now), we can pick a simpler strategy of just
+reseeding more often during the first 5 minutes after boot. This is
+still bounded by the 256-bit entropy credit requirement, so we'll skip a
+reseeding if we haven't reached that, but in case entropy /is/ coming
+in, this ensures that it makes its way into the crng rather rapidly
+during these early stages.
+
+Ordinarily we reseed if the previous reseeding is 300 seconds old. This
+commit changes things so that for the first 600 seconds of boot time, we
+reseed if the previous reseeding is uptime / 2 seconds old. That means
+that we'll reseed at the very least double the uptime of the previous
+reseeding.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 28 +++++++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -336,6 +336,28 @@ static void crng_fast_key_erasure(u8 key
+ }
+
+ /*
++ * Return whether the crng seed is considered to be sufficiently
++ * old that a reseeding might be attempted. This happens if the last
++ * reseeding was CRNG_RESEED_INTERVAL ago, or during early boot, at
++ * an interval proportional to the uptime.
++ */
++static bool crng_has_old_seed(void)
++{
++ static bool early_boot = true;
++ unsigned long interval = CRNG_RESEED_INTERVAL;
++
++ if (unlikely(READ_ONCE(early_boot))) {
++ time64_t uptime = ktime_get_seconds();
++ if (uptime >= CRNG_RESEED_INTERVAL / HZ * 2)
++ WRITE_ONCE(early_boot, false);
++ else
++ interval = max_t(unsigned int, 5 * HZ,
++ (unsigned int)uptime / 2 * HZ);
++ }
++ return time_after(jiffies, READ_ONCE(base_crng.birth) + interval);
++}
++
++/*
+ * This function returns a ChaCha state that you may use for generating
+ * random data. It also returns up to 32 bytes on its own of random data
+ * that may be used; random_data_len may not be greater than 32.
+@@ -368,10 +390,10 @@ static void crng_make_state(u32 chacha_s
+ }
+
+ /*
+- * If the base_crng is more than 5 minutes old, we reseed, which
+- * in turn bumps the generation counter that we check below.
++ * If the base_crng is old enough, we try to reseed, which in turn
++ * bumps the generation counter that we check below.
+ */
+- if (unlikely(time_after(jiffies, READ_ONCE(base_crng.birth) + CRNG_RESEED_INTERVAL)))
++ if (unlikely(crng_has_old_seed()))
+ crng_reseed();
+
+ local_irq_save(flags);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Tobin C. Harding" <me@tobin.cc>
+Date: Fri, 22 Jun 2018 09:15:32 +1000
+Subject: random: Return nbytes filled from hw RNG
+
+From: "Tobin C. Harding" <me@tobin.cc>
+
+commit 753d433b586d1d43c487e3d660f5778c7c8d58ea upstream.
+
+Currently the function get_random_bytes_arch() has return value 'void'.
+If the hw RNG fails we currently fall back to using get_random_bytes().
+This defeats the purpose of requesting random material from the hw RNG
+in the first place.
+
+There are currently no intree users of get_random_bytes_arch().
+
+Only get random bytes from the hw RNG, make function return the number
+of bytes retrieved from the hw RNG.
+
+Acked-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Tobin C. Harding <me@tobin.cc>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 16 +++++++++-------
+ include/linux/random.h | 2 +-
+ 2 files changed, 10 insertions(+), 8 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1730,26 +1730,28 @@ EXPORT_SYMBOL(del_random_ready_callback)
+ * key known by the NSA). So it's useful if we need the speed, but
+ * only if we're willing to trust the hardware manufacturer not to
+ * have put in a back door.
++ *
++ * Return number of bytes filled in.
+ */
+-void get_random_bytes_arch(void *buf, int nbytes)
++int __must_check get_random_bytes_arch(void *buf, int nbytes)
+ {
++ int left = nbytes;
+ char *p = buf;
+
+- trace_get_random_bytes_arch(nbytes, _RET_IP_);
+- while (nbytes) {
++ trace_get_random_bytes_arch(left, _RET_IP_);
++ while (left) {
+ unsigned long v;
+- int chunk = min(nbytes, (int)sizeof(unsigned long));
++ int chunk = min_t(int, left, sizeof(unsigned long));
+
+ if (!arch_get_random_long(&v))
+ break;
+
+ memcpy(p, &v, chunk);
+ p += chunk;
+- nbytes -= chunk;
++ left -= chunk;
+ }
+
+- if (nbytes)
+- get_random_bytes(p, nbytes);
++ return nbytes - left;
+ }
+ EXPORT_SYMBOL(get_random_bytes_arch);
+
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -38,7 +38,7 @@ extern void get_random_bytes(void *buf,
+ extern int wait_for_random_bytes(void);
+ extern int add_random_ready_callback(struct random_ready_callback *rdy);
+ extern void del_random_ready_callback(struct random_ready_callback *rdy);
+-extern void get_random_bytes_arch(void *buf, int nbytes);
++extern int __must_check get_random_bytes_arch(void *buf, int nbytes);
+
+ #ifndef MODULE
+ extern const struct file_operations random_fops, urandom_fops;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 11 Feb 2022 12:29:33 +0100
+Subject: random: rewrite header introductory comment
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 5f75d9f3babea8ae0a2d06724656874f41d317f5 upstream.
+
+Now that we've re-documented the various sections, we can remove the
+outdated text here and replace it with a high-level overview.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 179 +++++---------------------------------------------
+ 1 file changed, 19 insertions(+), 160 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -2,168 +2,27 @@
+ /*
+ * Copyright (C) 2017-2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ * Copyright Matt Mackall <mpm@selenic.com>, 2003, 2004, 2005
+- * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. All
+- * rights reserved.
+- */
+-
+-/*
+- * Exported interfaces ---- output
+- * ===============================
+- *
+- * There are four exported interfaces; two for use within the kernel,
+- * and two for use from userspace.
+- *
+- * Exported interfaces ---- userspace output
+- * -----------------------------------------
+- *
+- * The userspace interfaces are two character devices /dev/random and
+- * /dev/urandom. /dev/random is suitable for use when very high
+- * quality randomness is desired (for example, for key generation or
+- * one-time pads), as it will only return a maximum of the number of
+- * bits of randomness (as estimated by the random number generator)
+- * contained in the entropy pool.
+- *
+- * The /dev/urandom device does not have this limit, and will return
+- * as many bytes as are requested. As more and more random bytes are
+- * requested without giving time for the entropy pool to recharge,
+- * this will result in random numbers that are merely cryptographically
+- * strong. For many applications, however, this is acceptable.
+- *
+- * Exported interfaces ---- kernel output
+- * --------------------------------------
+- *
+- * The primary kernel interfaces are:
+- *
+- * void get_random_bytes(void *buf, size_t nbytes);
+- * u32 get_random_u32()
+- * u64 get_random_u64()
+- * unsigned int get_random_int()
+- * unsigned long get_random_long()
+- *
+- * These interfaces will return the requested number of random bytes
+- * into the given buffer or as a return value. This is equivalent to a
+- * read from /dev/urandom. The get_random_{u32,u64,int,long}() family
+- * of functions may be higher performance for one-off random integers,
+- * because they do a bit of buffering.
+- *
+- * prandom_u32()
+- * -------------
+- *
+- * For even weaker applications, see the pseudorandom generator
+- * prandom_u32(), prandom_max(), and prandom_bytes(). If the random
+- * numbers aren't security-critical at all, these are *far* cheaper.
+- * Useful for self-tests, random error simulation, randomized backoffs,
+- * and any other application where you trust that nobody is trying to
+- * maliciously mess with you by guessing the "random" numbers.
+- *
+- * Exported interfaces ---- input
+- * ==============================
+- *
+- * The current exported interfaces for gathering environmental noise
+- * from the devices are:
+- *
+- * void add_device_randomness(const void *buf, size_t size);
+- * void add_input_randomness(unsigned int type, unsigned int code,
+- * unsigned int value);
+- * void add_interrupt_randomness(int irq);
+- * void add_disk_randomness(struct gendisk *disk);
+- * void add_hwgenerator_randomness(const void *buffer, size_t count,
+- * size_t entropy);
+- * void add_bootloader_randomness(const void *buf, size_t size);
+- *
+- * add_device_randomness() is for adding data to the random pool that
+- * is likely to differ between two devices (or possibly even per boot).
+- * This would be things like MAC addresses or serial numbers, or the
+- * read-out of the RTC. This does *not* add any actual entropy to the
+- * pool, but it initializes the pool to different values for devices
+- * that might otherwise be identical and have very little entropy
+- * available to them (particularly common in the embedded world).
+- *
+- * add_input_randomness() uses the input layer interrupt timing, as well as
+- * the event type information from the hardware.
+- *
+- * add_interrupt_randomness() uses the interrupt timing as random
+- * inputs to the entropy pool. Using the cycle counters and the irq source
+- * as inputs, it feeds the randomness roughly once a second.
+- *
+- * add_disk_randomness() uses what amounts to the seek time of block
+- * layer request events, on a per-disk_devt basis, as input to the
+- * entropy pool. Note that high-speed solid state drives with very low
+- * seek times do not make for good sources of entropy, as their seek
+- * times are usually fairly consistent.
+- *
+- * All of these routines try to estimate how many bits of randomness a
+- * particular randomness source. They do this by keeping track of the
+- * first and second order deltas of the event timings.
+- *
+- * add_hwgenerator_randomness() is for true hardware RNGs, and will credit
+- * entropy as specified by the caller. If the entropy pool is full it will
+- * block until more entropy is needed.
+- *
+- * add_bootloader_randomness() is the same as add_hwgenerator_randomness() or
+- * add_device_randomness(), depending on whether or not the configuration
+- * option CONFIG_RANDOM_TRUST_BOOTLOADER is set.
+- *
+- * Ensuring unpredictability at system startup
+- * ============================================
+- *
+- * When any operating system starts up, it will go through a sequence
+- * of actions that are fairly predictable by an adversary, especially
+- * if the start-up does not involve interaction with a human operator.
+- * This reduces the actual number of bits of unpredictability in the
+- * entropy pool below the value in entropy_count. In order to
+- * counteract this effect, it helps to carry information in the
+- * entropy pool across shut-downs and start-ups. To do this, put the
+- * following lines an appropriate script which is run during the boot
+- * sequence:
+- *
+- * echo "Initializing random number generator..."
+- * random_seed=/var/run/random-seed
+- * # Carry a random seed from start-up to start-up
+- * # Load and then save the whole entropy pool
+- * if [ -f $random_seed ]; then
+- * cat $random_seed >/dev/urandom
+- * else
+- * touch $random_seed
+- * fi
+- * chmod 600 $random_seed
+- * dd if=/dev/urandom of=$random_seed count=1 bs=512
+- *
+- * and the following lines in an appropriate script which is run as
+- * the system is shutdown:
+- *
+- * # Carry a random seed from shut-down to start-up
+- * # Save the whole entropy pool
+- * echo "Saving random seed..."
+- * random_seed=/var/run/random-seed
+- * touch $random_seed
+- * chmod 600 $random_seed
+- * dd if=/dev/urandom of=$random_seed count=1 bs=512
+- *
+- * For example, on most modern systems using the System V init
+- * scripts, such code fragments would be found in
+- * /etc/rc.d/init.d/random. On older Linux systems, the correct script
+- * location might be in /etc/rcb.d/rc.local or /etc/rc.d/rc.0.
+- *
+- * Effectively, these commands cause the contents of the entropy pool
+- * to be saved at shut-down time and reloaded into the entropy pool at
+- * start-up. (The 'dd' in the addition to the bootup script is to
+- * make sure that /etc/random-seed is different for every start-up,
+- * even if the system crashes without executing rc.0.) Even with
+- * complete knowledge of the start-up activities, predicting the state
+- * of the entropy pool requires knowledge of the previous history of
+- * the system.
+- *
+- * Configuring the /dev/random driver under Linux
+- * ==============================================
++ * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. All rights reserved.
+ *
+- * The /dev/random driver under Linux uses minor numbers 8 and 9 of
+- * the /dev/mem major number (#1). So if your system does not have
+- * /dev/random and /dev/urandom created already, they can be created
+- * by using the commands:
++ * This driver produces cryptographically secure pseudorandom data. It is divided
++ * into roughly six sections, each with a section header:
+ *
+- * mknod /dev/random c 1 8
+- * mknod /dev/urandom c 1 9
++ * - Initialization and readiness waiting.
++ * - Fast key erasure RNG, the "crng".
++ * - Entropy accumulation and extraction routines.
++ * - Entropy collection routines.
++ * - Userspace reader/writer interfaces.
++ * - Sysctl interface.
++ *
++ * The high level overview is that there is one input pool, into which
++ * various pieces of data are hashed. Some of that data is then "credited" as
++ * having a certain number of bits of entropy. When enough bits of entropy are
++ * available, the hash is finalized and handed as a key to a stream cipher that
++ * expands it indefinitely for various consumers. This key is periodically
++ * refreshed as the various entropy collectors, described below, add data to the
++ * input pool and credit it. There is currently no Fortuna-like scheduler
++ * involved, which can lead to malicious entropy sources causing a premature
++ * reseed, and the entropy estimates are, at best, conservative guesses.
+ */
+
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 22 Feb 2022 13:46:10 +0100
+Subject: random: round-robin registers as ulong, not u32
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit da3951ebdcd1cb1d5c750e08cd05aee7b0c04d9a upstream.
+
+When the interrupt handler does not have a valid cycle counter, it calls
+get_reg() to read a register from the irq stack, in round-robin.
+Currently it does this assuming that registers are 32-bit. This is
+_probably_ the case, and probably all platforms without cycle counters
+are in fact 32-bit platforms. But maybe not, and either way, it's not
+quite correct. This commit fixes that to deal with `unsigned long`
+rather than `u32`.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1256,15 +1256,15 @@ int random_online_cpu(unsigned int cpu)
+ }
+ #endif
+
+-static u32 get_reg(struct fast_pool *f, struct pt_regs *regs)
++static unsigned long get_reg(struct fast_pool *f, struct pt_regs *regs)
+ {
+- u32 *ptr = (u32 *)regs;
++ unsigned long *ptr = (unsigned long *)regs;
+ unsigned int idx;
+
+ if (regs == NULL)
+ return 0;
+ idx = READ_ONCE(f->reg_idx);
+- if (idx >= sizeof(struct pt_regs) / sizeof(u32))
++ if (idx >= sizeof(struct pt_regs) / sizeof(unsigned long))
+ idx = 0;
+ ptr += idx++;
+ WRITE_ONCE(f->reg_idx, idx);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Mon, 17 Jan 2022 18:43:02 +0100
+Subject: random: simplify arithmetic function flow in account()
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit a254a0e4093fce8c832414a83940736067eed515 upstream.
+
+Now that have_bytes is never modified, we can simplify this function.
+First, we move the check for negative entropy_count to be first. That
+ensures that subsequent reads of this will be non-negative. Then,
+have_bytes and ibytes can be folded into their one use site in the
+min_t() function.
+
+Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 17 ++++++-----------
+ 1 file changed, 6 insertions(+), 11 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1292,7 +1292,7 @@ EXPORT_SYMBOL_GPL(add_disk_randomness);
+ */
+ static size_t account(size_t nbytes, int min)
+ {
+- int entropy_count, orig, have_bytes;
++ int entropy_count, orig;
+ size_t ibytes, nfrac;
+
+ BUG_ON(input_pool.entropy_count > POOL_FRACBITS);
+@@ -1300,20 +1300,15 @@ static size_t account(size_t nbytes, int
+ /* Can we pull enough? */
+ retry:
+ entropy_count = orig = READ_ONCE(input_pool.entropy_count);
+- ibytes = nbytes;
+- /* never pull more than available */
+- have_bytes = entropy_count >> (POOL_ENTROPY_SHIFT + 3);
+-
+- if (have_bytes < 0)
+- have_bytes = 0;
+- ibytes = min_t(size_t, ibytes, have_bytes);
+- if (ibytes < min)
+- ibytes = 0;
+-
+ if (WARN_ON(entropy_count < 0)) {
+ pr_warn("negative entropy count: count %d\n", entropy_count);
+ entropy_count = 0;
+ }
++
++ /* never pull more than available */
++ ibytes = min_t(size_t, nbytes, entropy_count >> (POOL_ENTROPY_SHIFT + 3));
++ if (ibytes < min)
++ ibytes = 0;
+ nfrac = ibytes << (POOL_ENTROPY_SHIFT + 3);
+ if ((size_t)entropy_count > nfrac)
+ entropy_count -= nfrac;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 2 Feb 2022 13:30:03 +0100
+Subject: random: simplify entropy debiting
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 9c07f57869e90140080cfc282cc628d123e27704 upstream.
+
+Our pool is 256 bits, and we only ever use all of it or don't use it at
+all, which is decided by whether or not it has at least 128 bits in it.
+So we can drastically simplify the accounting and cmpxchg loop to do
+exactly this. While we're at it, we move the minimum bit size into a
+constant so it can be shared between the two places where it matters.
+
+The reason we want any of this is for the case in which an attacker has
+compromised the current state, and then bruteforces small amounts of
+entropy added to it. By demanding a particular minimum amount of entropy
+be present before reseeding, we make that bruteforcing difficult.
+
+Note that this rationale no longer includes anything about /dev/random
+blocking at the right moment, since /dev/random no longer blocks (except
+for at ~boot), but rather uses the crng. In a former life, /dev/random
+was different and therefore required a more nuanced account(), but this
+is no longer.
+
+Behaviorally, nothing changes here. This is just a simplification of
+the code.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 91 +++++++++---------------------------------
+ include/trace/events/random.h | 30 ++-----------
+ 2 files changed, 27 insertions(+), 94 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -289,12 +289,14 @@
+ enum poolinfo {
+ POOL_BITS = BLAKE2S_HASH_SIZE * 8,
+ POOL_BITSHIFT = ilog2(POOL_BITS),
++ POOL_MIN_BITS = POOL_BITS / 2,
+
+ /* To allow fractional bits to be tracked, the entropy_count field is
+ * denominated in units of 1/8th bits. */
+ POOL_ENTROPY_SHIFT = 3,
+ #define POOL_ENTROPY_BITS() (input_pool.entropy_count >> POOL_ENTROPY_SHIFT)
+- POOL_FRACBITS = POOL_BITS << POOL_ENTROPY_SHIFT
++ POOL_FRACBITS = POOL_BITS << POOL_ENTROPY_SHIFT,
++ POOL_MIN_FRACBITS = POOL_MIN_BITS << POOL_ENTROPY_SHIFT
+ };
+
+ /*
+@@ -375,8 +377,7 @@ static struct {
+ .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
+ };
+
+-static bool extract_entropy(void *buf, size_t nbytes, int min);
+-static void _extract_entropy(void *buf, size_t nbytes);
++static void extract_entropy(void *buf, size_t nbytes);
+
+ static void crng_reseed(struct crng_state *crng, bool use_input_pool);
+
+@@ -467,7 +468,7 @@ static void process_random_ready_list(vo
+ */
+ static void credit_entropy_bits(int nbits)
+ {
+- int entropy_count, entropy_bits, orig;
++ int entropy_count, orig;
+ int nfrac = nbits << POOL_ENTROPY_SHIFT;
+
+ /* Ensure that the multiplication can avoid being 64 bits wide. */
+@@ -527,8 +528,7 @@ retry:
+
+ trace_credit_entropy_bits(nbits, entropy_count >> POOL_ENTROPY_SHIFT, _RET_IP_);
+
+- entropy_bits = entropy_count >> POOL_ENTROPY_SHIFT;
+- if (crng_init < 2 && entropy_bits >= 128)
++ if (crng_init < 2 && entropy_count >= POOL_MIN_FRACBITS)
+ crng_reseed(&primary_crng, true);
+ }
+
+@@ -617,7 +617,7 @@ static void crng_initialize_secondary(st
+
+ static void __init crng_initialize_primary(void)
+ {
+- _extract_entropy(&primary_crng.state[4], sizeof(u32) * 12);
++ extract_entropy(&primary_crng.state[4], sizeof(u32) * 12);
+ if (crng_init_try_arch_early() && trust_cpu && crng_init < 2) {
+ invalidate_batched_entropy();
+ numa_crng_init();
+@@ -787,8 +787,17 @@ static void crng_reseed(struct crng_stat
+ } buf;
+
+ if (use_input_pool) {
+- if (!extract_entropy(&buf, 32, 16))
+- return;
++ int entropy_count;
++ do {
++ entropy_count = READ_ONCE(input_pool.entropy_count);
++ if (entropy_count < POOL_MIN_FRACBITS)
++ return;
++ } while (cmpxchg(&input_pool.entropy_count, entropy_count, 0) != entropy_count);
++ extract_entropy(buf.key, sizeof(buf.key));
++ if (random_write_wakeup_bits) {
++ wake_up_interruptible(&random_write_wait);
++ kill_fasync(&fasync, SIGIO, POLL_OUT);
++ }
+ } else {
+ _extract_crng(&primary_crng, buf.block);
+ _crng_backtrack_protect(&primary_crng, buf.block,
+@@ -1114,51 +1123,10 @@ EXPORT_SYMBOL_GPL(add_disk_randomness);
+ *********************************************************************/
+
+ /*
+- * This function decides how many bytes to actually take from the
+- * given pool, and also debits the entropy count accordingly.
+- */
+-static size_t account(size_t nbytes, int min)
+-{
+- int entropy_count, orig;
+- size_t ibytes, nfrac;
+-
+- BUG_ON(input_pool.entropy_count > POOL_FRACBITS);
+-
+- /* Can we pull enough? */
+-retry:
+- entropy_count = orig = READ_ONCE(input_pool.entropy_count);
+- if (WARN_ON(entropy_count < 0)) {
+- pr_warn("negative entropy count: count %d\n", entropy_count);
+- entropy_count = 0;
+- }
+-
+- /* never pull more than available */
+- ibytes = min_t(size_t, nbytes, entropy_count >> (POOL_ENTROPY_SHIFT + 3));
+- if (ibytes < min)
+- ibytes = 0;
+- nfrac = ibytes << (POOL_ENTROPY_SHIFT + 3);
+- if ((size_t)entropy_count > nfrac)
+- entropy_count -= nfrac;
+- else
+- entropy_count = 0;
+-
+- if (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig)
+- goto retry;
+-
+- trace_debit_entropy(8 * ibytes);
+- if (ibytes && POOL_ENTROPY_BITS() < random_write_wakeup_bits) {
+- wake_up_interruptible(&random_write_wait);
+- kill_fasync(&fasync, SIGIO, POLL_OUT);
+- }
+-
+- return ibytes;
+-}
+-
+-/*
+ * This is an HKDF-like construction for using the hashed collected entropy
+ * as a PRF key, that's then expanded block-by-block.
+ */
+-static void _extract_entropy(void *buf, size_t nbytes)
++static void extract_entropy(void *buf, size_t nbytes)
+ {
+ unsigned long flags;
+ u8 seed[BLAKE2S_HASH_SIZE], next_key[BLAKE2S_HASH_SIZE];
+@@ -1168,6 +1136,8 @@ static void _extract_entropy(void *buf,
+ } block;
+ size_t i;
+
++ trace_extract_entropy(nbytes, POOL_ENTROPY_BITS());
++
+ for (i = 0; i < ARRAY_SIZE(block.rdrand); ++i) {
+ if (!arch_get_random_long(&block.rdrand[i]))
+ block.rdrand[i] = random_get_entropy();
+@@ -1199,25 +1169,6 @@ static void _extract_entropy(void *buf,
+ memzero_explicit(&block, sizeof(block));
+ }
+
+-/*
+- * This function extracts randomness from the "entropy pool", and
+- * returns it in a buffer.
+- *
+- * The min parameter specifies the minimum amount we can pull before
+- * failing to avoid races that defeat catastrophic reseeding. If we
+- * have less than min entropy available, we return false and buf is
+- * not filled.
+- */
+-static bool extract_entropy(void *buf, size_t nbytes, int min)
+-{
+- trace_extract_entropy(nbytes, POOL_ENTROPY_BITS(), _RET_IP_);
+- if (account(nbytes, min)) {
+- _extract_entropy(buf, nbytes);
+- return true;
+- }
+- return false;
+-}
+-
+ #define warn_unseeded_randomness(previous) \
+ _warn_unseeded_randomness(__func__, (void *)_RET_IP_, (previous))
+
+--- a/include/trace/events/random.h
++++ b/include/trace/events/random.h
+@@ -79,22 +79,6 @@ TRACE_EVENT(credit_entropy_bits,
+ __entry->bits, __entry->entropy_count, (void *)__entry->IP)
+ );
+
+-TRACE_EVENT(debit_entropy,
+- TP_PROTO(int debit_bits),
+-
+- TP_ARGS( debit_bits),
+-
+- TP_STRUCT__entry(
+- __field( int, debit_bits )
+- ),
+-
+- TP_fast_assign(
+- __entry->debit_bits = debit_bits;
+- ),
+-
+- TP_printk("input pool: debit_bits %d", __entry->debit_bits)
+-);
+-
+ TRACE_EVENT(add_input_randomness,
+ TP_PROTO(int input_bits),
+
+@@ -161,31 +145,29 @@ DEFINE_EVENT(random__get_random_bytes, g
+ );
+
+ DECLARE_EVENT_CLASS(random__extract_entropy,
+- TP_PROTO(int nbytes, int entropy_count, unsigned long IP),
++ TP_PROTO(int nbytes, int entropy_count),
+
+- TP_ARGS(nbytes, entropy_count, IP),
++ TP_ARGS(nbytes, entropy_count),
+
+ TP_STRUCT__entry(
+ __field( int, nbytes )
+ __field( int, entropy_count )
+- __field(unsigned long, IP )
+ ),
+
+ TP_fast_assign(
+ __entry->nbytes = nbytes;
+ __entry->entropy_count = entropy_count;
+- __entry->IP = IP;
+ ),
+
+- TP_printk("input pool: nbytes %d entropy_count %d caller %pS",
+- __entry->nbytes, __entry->entropy_count, (void *)__entry->IP)
++ TP_printk("input pool: nbytes %d entropy_count %d",
++ __entry->nbytes, __entry->entropy_count)
+ );
+
+
+ DEFINE_EVENT(random__extract_entropy, extract_entropy,
+- TP_PROTO(int nbytes, int entropy_count, unsigned long IP),
++ TP_PROTO(int nbytes, int entropy_count),
+
+- TP_ARGS(nbytes, entropy_count, IP)
++ TP_ARGS(nbytes, entropy_count)
+ );
+
+ TRACE_EVENT(urandom_read,
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Mon, 21 Mar 2022 18:48:05 -0600
+Subject: random: skip fast_init if hwrng provides large chunk of entropy
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit af704c856e888fb044b058d731d61b46eeec499d upstream.
+
+At boot time, EFI calls add_bootloader_randomness(), which in turn calls
+add_hwgenerator_randomness(). Currently add_hwgenerator_randomness()
+feeds the first 64 bytes of randomness to the "fast init"
+non-crypto-grade phase. But if add_hwgenerator_randomness() gets called
+with more than POOL_MIN_BITS of entropy, there's no point in passing it
+off to the "fast init" stage, since that's enough entropy to bootstrap
+the real RNG. The "fast init" stage is just there to provide _something_
+in the case where we don't have enough entropy to properly bootstrap the
+RNG. But if we do have enough entropy to bootstrap the RNG, the current
+logic doesn't serve a purpose. So, in the case where we're passed
+greater than or equal to POOL_MIN_BITS of entropy, this commit makes us
+skip the "fast init" phase.
+
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1120,7 +1120,7 @@ void rand_initialize_disk(struct gendisk
+ void add_hwgenerator_randomness(const void *buffer, size_t count,
+ size_t entropy)
+ {
+- if (unlikely(crng_init == 0)) {
++ if (unlikely(crng_init == 0 && entropy < POOL_MIN_BITS)) {
+ size_t ret = crng_pre_init_inject(buffer, count, true);
+ mix_pool_bytes(buffer, ret);
+ count -= ret;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 10 Feb 2020 13:00:12 +0000
+Subject: random: split primary/secondary crng init paths
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 5cbe0f13b51ac2fb2fd55902cff8d0077fc084c0 upstream.
+
+Currently crng_initialize() is used for both the primary CRNG and
+secondary CRNGs. While we wish to share common logic, we need to do a
+number of additional things for the primary CRNG, and this would be
+easier to deal with were these handled in separate functions.
+
+This patch splits crng_initialize() into crng_initialize_primary() and
+crng_initialize_secondary(), with common logic factored out into a
+crng_init_try_arch() helper.
+
+There should be no functional change as a result of this patch.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Link: https://lore.kernel.org/r/20200210130015.17664-2-mark.rutland@arm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 36 ++++++++++++++++++++++++------------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -782,27 +782,39 @@ static int __init parse_trust_cpu(char *
+ }
+ early_param("random.trust_cpu", parse_trust_cpu);
+
+-static void crng_initialize(struct crng_state *crng)
++static bool crng_init_try_arch(struct crng_state *crng)
+ {
+ int i;
+- int arch_init = 1;
++ bool arch_init = true;
+ unsigned long rv;
+
+- memcpy(&crng->state[0], "expand 32-byte k", 16);
+- if (crng == &primary_crng)
+- _extract_entropy(&input_pool, &crng->state[4],
+- sizeof(__u32) * 12, 0);
+- else
+- _get_random_bytes(&crng->state[4], sizeof(__u32) * 12);
+ for (i = 4; i < 16; i++) {
+ if (!arch_get_random_seed_long(&rv) &&
+ !arch_get_random_long(&rv)) {
+ rv = random_get_entropy();
+- arch_init = 0;
++ arch_init = false;
+ }
+ crng->state[i] ^= rv;
+ }
+- if (trust_cpu && arch_init) {
++
++ return arch_init;
++}
++
++static void crng_initialize_secondary(struct crng_state *crng)
++{
++ memcpy(&crng->state[0], "expand 32-byte k", 16);
++ _get_random_bytes(&crng->state[4], sizeof(__u32) * 12);
++ crng_init_try_arch(crng);
++ crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
++}
++
++static void __init crng_initialize_primary(struct crng_state *crng)
++{
++ memcpy(&crng->state[0], "expand 32-byte k", 16);
++ _extract_entropy(&input_pool, &crng->state[4], sizeof(__u32) * 12, 0);
++ if (crng_init_try_arch(crng) && trust_cpu) {
++ invalidate_batched_entropy();
++ numa_crng_init();
+ crng_init = 2;
+ pr_notice("crng done (trusting CPU's manufacturer)\n");
+ }
+@@ -851,7 +863,7 @@ static void do_numa_crng_init(struct wor
+ crng = kmalloc_node(sizeof(struct crng_state),
+ GFP_KERNEL | __GFP_NOFAIL, i);
+ spin_lock_init(&crng->lock);
+- crng_initialize(crng);
++ crng_initialize_secondary(crng);
+ pool[i] = crng;
+ }
+ /* pairs with READ_ONCE() in select_crng() */
+@@ -1729,7 +1741,7 @@ int __init rand_initialize(void)
+ init_std_data(&input_pool);
+ if (crng_need_final_init)
+ crng_finalize_init(&primary_crng);
+- crng_initialize(&primary_crng);
++ crng_initialize_primary(&primary_crng);
+ crng_global_init_time = jiffies;
+ if (ratelimit_disable) {
+ urandom_warning.interval = 0;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Stephen Boyd <swboyd@chromium.org>
+Date: Mon, 19 Aug 2019 08:02:45 -0700
+Subject: random: Support freezable kthreads in add_hwgenerator_randomness()
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+commit ff296293b3538d19278a7f7cd1f3aa600ad9164c upstream.
+
+The kthread calling this function is freezable after commit 03a3bb7ae631
+("hwrng: core - Freeze khwrng thread during suspend") is applied.
+Unfortunately, this function uses wait_event_interruptible() but doesn't
+check for the kthread being woken up by the fake freezer signal. When a
+user suspends the system, this kthread will wake up and if it fails the
+entropy size check it will immediately go back to sleep and not go into
+the freezer. Eventually, suspend will fail because the task never froze
+and a warning message like this may appear:
+
+ PM: suspend entry (deep)
+ Filesystems sync: 0.000 seconds
+ Freezing user space processes ... (elapsed 0.001 seconds) done.
+ OOM killer disabled.
+ Freezing remaining freezable tasks ...
+ Freezing of tasks failed after 20.003 seconds (1 tasks refusing to freeze, wq_busy=0):
+ hwrng R running task 0 289 2 0x00000020
+ [<c08c64c4>] (__schedule) from [<c08c6a10>] (schedule+0x3c/0xc0)
+ [<c08c6a10>] (schedule) from [<c05dbd8c>] (add_hwgenerator_randomness+0xb0/0x100)
+ [<c05dbd8c>] (add_hwgenerator_randomness) from [<bf1803c8>] (hwrng_fillfn+0xc0/0x14c [rng_core])
+ [<bf1803c8>] (hwrng_fillfn [rng_core]) from [<c015abec>] (kthread+0x134/0x148)
+ [<c015abec>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
+
+Check for a freezer signal here and skip adding any randomness if the
+task wakes up because it was frozen. This should make the kthread freeze
+properly and suspend work again.
+
+Fixes: 03a3bb7ae631 ("hwrng: core - Freeze khwrng thread during suspend")
+Reported-by: Keerthy <j-keerthy@ti.com>
+Tested-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -2420,6 +2420,7 @@ void add_hwgenerator_randomness(const ch
+ size_t entropy)
+ {
+ struct entropy_store *poolp = &input_pool;
++ bool frozen = false;
+
+ if (unlikely(crng_init == 0)) {
+ crng_fast_load(buffer, count);
+@@ -2430,9 +2431,12 @@ void add_hwgenerator_randomness(const ch
+ * We'll be woken up again once below random_write_wakeup_thresh,
+ * or when the calling thread is about to terminate.
+ */
+- wait_event_interruptible(random_write_wait, kthread_should_stop() ||
++ wait_event_interruptible(random_write_wait,
++ kthread_freezable_should_stop(&frozen) ||
+ ENTROPY_BITS(&input_pool) <= random_write_wakeup_bits);
+- mix_pool_bytes(poolp, buffer, count);
+- credit_entropy_bits(poolp, entropy);
++ if (!frozen) {
++ mix_pool_bytes(poolp, buffer, count);
++ credit_entropy_bits(poolp, entropy);
++ }
+ }
+ EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 9 Feb 2022 22:46:48 +0100
+Subject: random: tie batched entropy generation to base_crng generation
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 0791e8b655cc373718f0f58800fdc625a3447ac5 upstream.
+
+Now that we have an explicit base_crng generation counter, we don't need
+a separate one for batched entropy. Rather, we can just move the
+generation forward every time we change crng_init state or update the
+base_crng key.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 29 ++++++++---------------------
+ 1 file changed, 8 insertions(+), 21 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -428,8 +428,6 @@ static DEFINE_PER_CPU(struct crng, crngs
+
+ static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
+
+-static void invalidate_batched_entropy(void);
+-
+ /*
+ * crng_fast_load() can be called by code in the interrupt service
+ * path. So we can't afford to dilly-dally. Returns the number of
+@@ -452,7 +450,7 @@ static size_t crng_fast_load(const void
+ src++; crng_init_cnt++; len--; ret++;
+ }
+ if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
+- invalidate_batched_entropy();
++ ++base_crng.generation;
+ crng_init = 1;
+ }
+ spin_unlock_irqrestore(&base_crng.lock, flags);
+@@ -529,7 +527,6 @@ static void crng_reseed(void)
+ WRITE_ONCE(base_crng.generation, next_gen);
+ WRITE_ONCE(base_crng.birth, jiffies);
+ if (crng_init < 2) {
+- invalidate_batched_entropy();
+ crng_init = 2;
+ finalize_init = true;
+ }
+@@ -1254,8 +1251,9 @@ int __init rand_initialize(void)
+ mix_pool_bytes(utsname(), sizeof(*(utsname())));
+
+ extract_entropy(base_crng.key, sizeof(base_crng.key));
++ ++base_crng.generation;
++
+ if (arch_init && trust_cpu && crng_init < 2) {
+- invalidate_batched_entropy();
+ crng_init = 2;
+ pr_notice("crng init done (trusting CPU's manufacturer)\n");
+ }
+@@ -1593,8 +1591,6 @@ struct ctl_table random_table[] = {
+ };
+ #endif /* CONFIG_SYSCTL */
+
+-static atomic_t batch_generation = ATOMIC_INIT(0);
+-
+ struct batched_entropy {
+ union {
+ /*
+@@ -1607,8 +1603,8 @@ struct batched_entropy {
+ u64 entropy_u64[CHACHA20_BLOCK_SIZE * 3 / (2 * sizeof(u64))];
+ u32 entropy_u32[CHACHA20_BLOCK_SIZE * 3 / (2 * sizeof(u32))];
+ };
++ unsigned long generation;
+ unsigned int position;
+- int generation;
+ };
+
+ /*
+@@ -1627,14 +1623,14 @@ u64 get_random_u64(void)
+ unsigned long flags;
+ struct batched_entropy *batch;
+ static void *previous;
+- int next_gen;
++ unsigned long next_gen;
+
+ warn_unseeded_randomness(&previous);
+
+ local_irq_save(flags);
+ batch = raw_cpu_ptr(&batched_entropy_u64);
+
+- next_gen = atomic_read(&batch_generation);
++ next_gen = READ_ONCE(base_crng.generation);
+ if (batch->position >= ARRAY_SIZE(batch->entropy_u64) ||
+ next_gen != batch->generation) {
+ _get_random_bytes(batch->entropy_u64, sizeof(batch->entropy_u64));
+@@ -1660,14 +1656,14 @@ u32 get_random_u32(void)
+ unsigned long flags;
+ struct batched_entropy *batch;
+ static void *previous;
+- int next_gen;
++ unsigned long next_gen;
+
+ warn_unseeded_randomness(&previous);
+
+ local_irq_save(flags);
+ batch = raw_cpu_ptr(&batched_entropy_u32);
+
+- next_gen = atomic_read(&batch_generation);
++ next_gen = READ_ONCE(base_crng.generation);
+ if (batch->position >= ARRAY_SIZE(batch->entropy_u32) ||
+ next_gen != batch->generation) {
+ _get_random_bytes(batch->entropy_u32, sizeof(batch->entropy_u32));
+@@ -1683,15 +1679,6 @@ u32 get_random_u32(void)
+ }
+ EXPORT_SYMBOL(get_random_u32);
+
+-/* It's important to invalidate all potential batched entropy that might
+- * be stored before the crng is initialized, which we can do lazily by
+- * bumping the generation counter.
+- */
+-static void invalidate_batched_entropy(void)
+-{
+- atomic_inc(&batch_generation);
+-}
+-
+ /**
+ * randomize_page - Generate a random, page aligned address
+ * @start: The smallest acceptable address the caller will take.
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 22 Mar 2022 21:43:12 -0600
+Subject: random: treat bootloader trust toggle the same way as cpu trust toggle
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit d97c68d178fbf8aaaf21b69b446f2dfb13909316 upstream.
+
+If CONFIG_RANDOM_TRUST_CPU is set, the RNG initializes using RDRAND.
+But, the user can disable (or enable) this behavior by setting
+`random.trust_cpu=0/1` on the kernel command line. This allows system
+builders to do reasonable things while avoiding howls from tinfoil
+hatters. (Or vice versa.)
+
+CONFIG_RANDOM_TRUST_BOOTLOADER is basically the same thing, but regards
+the seed passed via EFI or device tree, which might come from RDRAND or
+a TPM or somewhere else. In order to allow distros to more easily enable
+this while avoiding those same howls (or vice versa), this commit adds
+the corresponding `random.trust_bootloader=0/1` toggle.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Graham Christensen <graham@grahamc.com>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Link: https://github.com/NixOS/nixpkgs/pull/165355
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/kernel-parameters.txt | 6 ++++++
+ drivers/char/Kconfig | 3 ++-
+ drivers/char/random.c | 8 +++++++-
+ 3 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -3532,6 +3532,12 @@
+ fully seed the kernel's CRNG. Default is controlled
+ by CONFIG_RANDOM_TRUST_CPU.
+
++ random.trust_bootloader={on,off}
++ [KNL] Enable or disable trusting the use of a
++ seed passed by the bootloader (if available) to
++ fully seed the kernel's CRNG. Default is controlled
++ by CONFIG_RANDOM_TRUST_BOOTLOADER.
++
+ ras=option[,option,...] [KNL] RAS-specific options
+
+ cec_disable [X86]
+--- a/drivers/char/Kconfig
++++ b/drivers/char/Kconfig
+@@ -612,4 +612,5 @@ config RANDOM_TRUST_BOOTLOADER
+ device randomness. Say Y here to assume the entropy provided by the
+ booloader is trustworthy so it will be added to the kernel's entropy
+ pool. Otherwise, say N here so it will be regarded as device input that
+- only mixes the entropy pool.
+\ No newline at end of file
++ only mixes the entropy pool. This can also be configured at boot with
++ "random.trust_bootloader=on/off".
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -940,11 +940,17 @@ static bool drain_entropy(void *buf, siz
+ **********************************************************************/
+
+ static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
++static bool trust_bootloader __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER);
+ static int __init parse_trust_cpu(char *arg)
+ {
+ return kstrtobool(arg, &trust_cpu);
+ }
++static int __init parse_trust_bootloader(char *arg)
++{
++ return kstrtobool(arg, &trust_bootloader);
++}
+ early_param("random.trust_cpu", parse_trust_cpu);
++early_param("random.trust_bootloader", parse_trust_bootloader);
+
+ /*
+ * The first collection of entropy occurs at system boot while interrupts
+@@ -1152,7 +1158,7 @@ EXPORT_SYMBOL_GPL(add_hwgenerator_random
+ */
+ void add_bootloader_randomness(const void *buf, size_t size)
+ {
+- if (IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER))
++ if (trust_bootloader)
+ add_hwgenerator_randomness(buf, size, size * 8);
+ else
+ add_device_randomness(buf, size);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat, 28 Sep 2019 16:53:52 -0700
+Subject: random: try to actively add entropy rather than passively wait for it
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 50ee7529ec4500c88f8664560770a7a1b65db72b upstream.
+
+For 5.3 we had to revert a nice ext4 IO pattern improvement, because it
+caused a bootup regression due to lack of entropy at bootup together
+with arguably broken user space that was asking for secure random
+numbers when it really didn't need to.
+
+See commit 72dbcf721566 (Revert "ext4: make __ext4_get_inode_loc plug").
+
+This aims to solve the issue by actively generating entropy noise using
+the CPU cycle counter when waiting for the random number generator to
+initialize. This only works when you have a high-frequency time stamp
+counter available, but that's the case on all modern x86 CPU's, and on
+most other modern CPU's too.
+
+What we do is to generate jitter entropy from the CPU cycle counter
+under a somewhat complex load: calling the scheduler while also
+guaranteeing a certain amount of timing noise by also triggering a
+timer.
+
+I'm sure we can tweak this, and that people will want to look at other
+alternatives, but there's been a number of papers written on jitter
+entropy, and this should really be fairly conservative by crediting one
+bit of entropy for every timer-induced jump in the cycle counter. Not
+because the timer itself would be all that unpredictable, but because
+the interaction between the timer and the loop is going to be.
+
+Even if (and perhaps particularly if) the timer actually happens on
+another CPU, the cacheline interaction between the loop that reads the
+cycle counter and the timer itself firing is going to add perturbations
+to the cycle counter values that get mixed into the entropy pool.
+
+As Thomas pointed out, with a modern out-of-order CPU, even quite simple
+loops show a fair amount of hard-to-predict timing variability even in
+the absense of external interrupts. But this tries to take that further
+by actually having a fairly complex interaction.
+
+This is not going to solve the entropy issue for architectures that have
+no CPU cycle counter, but it's not clear how (and if) that is solvable,
+and the hardware in question is largely starting to be irrelevant. And
+by doing this we can at least avoid some of the even more contentious
+approaches (like making the entropy waiting time out in order to avoid
+the possibly unbounded waiting).
+
+Cc: Ahmed Darwish <darwish.07@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Nicholas Mc Guire <hofrat@opentech.at>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: Alexander E. Patrakov <patrakov@gmail.com>
+Cc: Lennart Poettering <mzxreary@0pointer.de>
+Cc: Noah Meyerhans <noahm@debian.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 61 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1522,6 +1522,56 @@ void get_random_bytes(void *buf, int nby
+ }
+ EXPORT_SYMBOL(get_random_bytes);
+
++
++/*
++ * Each time the timer fires, we expect that we got an unpredictable
++ * jump in the cycle counter. Even if the timer is running on another
++ * CPU, the timer activity will be touching the stack of the CPU that is
++ * generating entropy..
++ *
++ * Note that we don't re-arm the timer in the timer itself - we are
++ * happy to be scheduled away, since that just makes the load more
++ * complex, but we do not want the timer to keep ticking unless the
++ * entropy loop is running.
++ *
++ * So the re-arming always happens in the entropy loop itself.
++ */
++static void entropy_timer(unsigned long data)
++{
++ credit_entropy_bits(&input_pool, 1);
++}
++
++/*
++ * If we have an actual cycle counter, see if we can
++ * generate enough entropy with timing noise
++ */
++static void try_to_generate_entropy(void)
++{
++ struct {
++ unsigned long now;
++ struct timer_list timer;
++ } stack;
++
++ stack.now = random_get_entropy();
++
++ /* Slow counter - or none. Don't even bother */
++ if (stack.now == random_get_entropy())
++ return;
++
++ __setup_timer_on_stack(&stack.timer, entropy_timer, 0, 0);
++ while (!crng_ready()) {
++ if (!timer_pending(&stack.timer))
++ mod_timer(&stack.timer, jiffies+1);
++ mix_pool_bytes(&input_pool, &stack.now, sizeof(stack.now));
++ schedule();
++ stack.now = random_get_entropy();
++ }
++
++ del_timer_sync(&stack.timer);
++ destroy_timer_on_stack(&stack.timer);
++ mix_pool_bytes(&input_pool, &stack.now, sizeof(stack.now));
++}
++
+ /*
+ * Wait for the urandom pool to be seeded and thus guaranteed to supply
+ * cryptographically secure random numbers. This applies to: the /dev/urandom
+@@ -1536,7 +1586,17 @@ int wait_for_random_bytes(void)
+ {
+ if (likely(crng_ready()))
+ return 0;
+- return wait_event_interruptible(crng_init_wait, crng_ready());
++
++ do {
++ int ret;
++ ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ);
++ if (ret)
++ return ret > 0 ? 0 : ret;
++
++ try_to_generate_entropy();
++ } while (!crng_ready());
++
++ return 0;
+ }
+ EXPORT_SYMBOL(wait_for_random_bytes);
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 24 Feb 2022 18:30:58 +0100
+Subject: random: unify cycles_t and jiffies usage and types
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit abded93ec1e9692920fe309f07f40bd1035f2940 upstream.
+
+random_get_entropy() returns a cycles_t, not an unsigned long, which is
+sometimes 64 bits on various 32-bit platforms, including x86.
+Conversely, jiffies is always unsigned long. This commit fixes things to
+use cycles_t for fields that use random_get_entropy(), named "cycles",
+and unsigned long for fields that use jiffies, named "now". It's also
+good to mix in a cycles_t and a jiffies in the same way for both
+add_device_randomness and add_timer_randomness, rather than using xor in
+one case. Finally, we unify the order of these volatile reads, always
+reading the more precise cycles counter, and then jiffies, so that the
+cycle counter is as close to the event as possible.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 56 ++++++++++++++++++++++++--------------------------
+ 1 file changed, 27 insertions(+), 29 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1015,12 +1015,6 @@ int __init rand_initialize(void)
+ return 0;
+ }
+
+-/* There is one of these per entropy source */
+-struct timer_rand_state {
+- cycles_t last_time;
+- long last_delta, last_delta2;
+-};
+-
+ /*
+ * Add device- or boot-specific data to the input pool to help
+ * initialize it.
+@@ -1031,19 +1025,26 @@ struct timer_rand_state {
+ */
+ void add_device_randomness(const void *buf, size_t size)
+ {
+- unsigned long time = random_get_entropy() ^ jiffies;
+- unsigned long flags;
++ cycles_t cycles = random_get_entropy();
++ unsigned long flags, now = jiffies;
+
+ if (crng_init == 0 && size)
+ crng_pre_init_inject(buf, size, false, false);
+
+ spin_lock_irqsave(&input_pool.lock, flags);
++ _mix_pool_bytes(&cycles, sizeof(cycles));
++ _mix_pool_bytes(&now, sizeof(now));
+ _mix_pool_bytes(buf, size);
+- _mix_pool_bytes(&time, sizeof(time));
+ spin_unlock_irqrestore(&input_pool.lock, flags);
+ }
+ EXPORT_SYMBOL(add_device_randomness);
+
++/* There is one of these per entropy source */
++struct timer_rand_state {
++ unsigned long last_time;
++ long last_delta, last_delta2;
++};
++
+ /*
+ * This function adds entropy to the entropy "pool" by using timing
+ * delays. It uses the timer_rand_state structure to make an estimate
+@@ -1052,29 +1053,26 @@ EXPORT_SYMBOL(add_device_randomness);
+ * The number "num" is also added to the pool - it should somehow describe
+ * the type of event which just happened. This is currently 0-255 for
+ * keyboard scan codes, and 256 upwards for interrupts.
+- *
+ */
+ static void add_timer_randomness(struct timer_rand_state *state, unsigned int num)
+ {
+- struct {
+- long jiffies;
+- unsigned int cycles;
+- unsigned int num;
+- } sample;
++ cycles_t cycles = random_get_entropy();
++ unsigned long flags, now = jiffies;
+ long delta, delta2, delta3;
+
+- sample.jiffies = jiffies;
+- sample.cycles = random_get_entropy();
+- sample.num = num;
+- mix_pool_bytes(&sample, sizeof(sample));
++ spin_lock_irqsave(&input_pool.lock, flags);
++ _mix_pool_bytes(&cycles, sizeof(cycles));
++ _mix_pool_bytes(&now, sizeof(now));
++ _mix_pool_bytes(&num, sizeof(num));
++ spin_unlock_irqrestore(&input_pool.lock, flags);
+
+ /*
+ * Calculate number of bits of randomness we probably added.
+ * We take into account the first, second and third-order deltas
+ * in order to make our estimate.
+ */
+- delta = sample.jiffies - state->last_time;
+- state->last_time = sample.jiffies;
++ delta = now - READ_ONCE(state->last_time);
++ WRITE_ONCE(state->last_time, now);
+
+ delta2 = delta - state->last_delta;
+ state->last_delta = delta;
+@@ -1300,10 +1298,10 @@ static void mix_interrupt_randomness(str
+ void add_interrupt_randomness(int irq)
+ {
+ enum { MIX_INFLIGHT = 1U << 31 };
++ cycles_t cycles = random_get_entropy();
++ unsigned long now = jiffies;
+ struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness);
+ struct pt_regs *regs = get_irq_regs();
+- unsigned long now = jiffies;
+- cycles_t cycles = random_get_entropy();
+ unsigned int new_count;
+
+ if (cycles == 0)
+@@ -1378,28 +1376,28 @@ static void entropy_timer(unsigned long
+ static void try_to_generate_entropy(void)
+ {
+ struct {
+- unsigned long now;
++ cycles_t cycles;
+ struct timer_list timer;
+ } stack;
+
+- stack.now = random_get_entropy();
++ stack.cycles = random_get_entropy();
+
+ /* Slow counter - or none. Don't even bother */
+- if (stack.now == random_get_entropy())
++ if (stack.cycles == random_get_entropy())
+ return;
+
+ __setup_timer_on_stack(&stack.timer, entropy_timer, 0, 0);
+ while (!crng_ready()) {
+ if (!timer_pending(&stack.timer))
+ mod_timer(&stack.timer, jiffies + 1);
+- mix_pool_bytes(&stack.now, sizeof(stack.now));
++ mix_pool_bytes(&stack.cycles, sizeof(stack.cycles));
+ schedule();
+- stack.now = random_get_entropy();
++ stack.cycles = random_get_entropy();
+ }
+
+ del_timer_sync(&stack.timer);
+ destroy_timer_on_stack(&stack.timer);
+- mix_pool_bytes(&stack.now, sizeof(stack.now));
++ mix_pool_bytes(&stack.cycles, sizeof(stack.cycles));
+ }
+
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 12 Feb 2022 23:54:09 +0100
+Subject: random: unify early init crng load accounting
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit da792c6d5f59a76c10a310c5d4c93428fd18f996 upstream.
+
+crng_fast_load() and crng_slow_load() have different semantics:
+
+- crng_fast_load() xors and accounts with crng_init_cnt.
+- crng_slow_load() hashes and doesn't account.
+
+However add_hwgenerator_randomness() can afford to hash (it's called
+from a kthread), and it should account. Additionally, ones that can
+afford to hash don't need to take a trylock but can take a normal lock.
+So, we combine these into one function, crng_pre_init_inject(), which
+allows us to control these in a uniform way. This will make it simpler
+later to simplify this all down when the time comes for that.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 114 +++++++++++++++++++++++++-------------------------
+ 1 file changed, 59 insertions(+), 55 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -384,7 +384,7 @@ static void crng_make_state(u32 chacha_s
+ * For the fast path, we check whether we're ready, unlocked first, and
+ * then re-check once locked later. In the case where we're really not
+ * ready, we do fast key erasure with the base_crng directly, because
+- * this is what crng_{fast,slow}_load mutate during early init.
++ * this is what crng_pre_init_inject() mutates during early init.
+ */
+ if (unlikely(!crng_ready())) {
+ bool ready;
+@@ -435,72 +435,75 @@ static void crng_make_state(u32 chacha_s
+ }
+
+ /*
+- * This function is for crng_init == 0 only.
++ * This function is for crng_init == 0 only. It loads entropy directly
++ * into the crng's key, without going through the input pool. It is,
++ * generally speaking, not very safe, but we use this only at early
++ * boot time when it's better to have something there rather than
++ * nothing.
++ *
++ * There are two paths, a slow one and a fast one. The slow one
++ * hashes the input along with the current key. The fast one simply
++ * xors it in, and should only be used from interrupt context.
++ *
++ * If account is set, then the crng_init_cnt counter is incremented.
++ * This shouldn't be set by functions like add_device_randomness(),
++ * where we can't trust the buffer passed to it is guaranteed to be
++ * unpredictable (so it might not have any entropy at all).
+ *
+- * crng_fast_load() can be called by code in the interrupt service
+- * path. So we can't afford to dilly-dally. Returns the number of
+- * bytes processed from cp.
++ * Returns the number of bytes processed from input, which is bounded
++ * by CRNG_INIT_CNT_THRESH if account is true.
+ */
+-static size_t crng_fast_load(const void *cp, size_t len)
++static size_t crng_pre_init_inject(const void *input, size_t len,
++ bool fast, bool account)
+ {
+ static int crng_init_cnt = 0;
+ unsigned long flags;
+- const u8 *src = (const u8 *)cp;
+- size_t ret = 0;
+
+- if (!spin_trylock_irqsave(&base_crng.lock, flags))
+- return 0;
++ if (fast) {
++ if (!spin_trylock_irqsave(&base_crng.lock, flags))
++ return 0;
++ } else {
++ spin_lock_irqsave(&base_crng.lock, flags);
++ }
++
+ if (crng_init != 0) {
+ spin_unlock_irqrestore(&base_crng.lock, flags);
+ return 0;
+ }
+- while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) {
+- base_crng.key[crng_init_cnt % sizeof(base_crng.key)] ^= *src;
+- src++; crng_init_cnt++; len--; ret++;
+- }
+- if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
+- ++base_crng.generation;
+- crng_init = 1;
+- }
+- spin_unlock_irqrestore(&base_crng.lock, flags);
+- if (crng_init == 1)
+- pr_notice("fast init done\n");
+- return ret;
+-}
+
+-/*
+- * This function is for crng_init == 0 only.
+- *
+- * crng_slow_load() is called by add_device_randomness, which has two
+- * attributes. (1) We can't trust the buffer passed to it is
+- * guaranteed to be unpredictable (so it might not have any entropy at
+- * all), and (2) it doesn't have the performance constraints of
+- * crng_fast_load().
+- *
+- * So, we simply hash the contents in with the current key. Finally,
+- * we do *not* advance crng_init_cnt since buffer we may get may be
+- * something like a fixed DMI table (for example), which might very
+- * well be unique to the machine, but is otherwise unvarying.
+- */
+-static void crng_slow_load(const void *cp, size_t len)
+-{
+- unsigned long flags;
+- struct blake2s_state hash;
++ if (account)
++ len = min_t(size_t, len, CRNG_INIT_CNT_THRESH - crng_init_cnt);
+
+- blake2s_init(&hash, sizeof(base_crng.key));
+-
+- if (!spin_trylock_irqsave(&base_crng.lock, flags))
+- return;
+- if (crng_init != 0) {
+- spin_unlock_irqrestore(&base_crng.lock, flags);
+- return;
++ if (fast) {
++ const u8 *src = input;
++ size_t i;
++
++ for (i = 0; i < len; ++i)
++ base_crng.key[(crng_init_cnt + i) %
++ sizeof(base_crng.key)] ^= src[i];
++ } else {
++ struct blake2s_state hash;
++
++ blake2s_init(&hash, sizeof(base_crng.key));
++ blake2s_update(&hash, base_crng.key, sizeof(base_crng.key));
++ blake2s_update(&hash, input, len);
++ blake2s_final(&hash, base_crng.key);
++ }
++
++ if (account) {
++ crng_init_cnt += len;
++ if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
++ ++base_crng.generation;
++ crng_init = 1;
++ }
+ }
+
+- blake2s_update(&hash, base_crng.key, sizeof(base_crng.key));
+- blake2s_update(&hash, cp, len);
+- blake2s_final(&hash, base_crng.key);
+-
+ spin_unlock_irqrestore(&base_crng.lock, flags);
++
++ if (crng_init == 1)
++ pr_notice("fast init done\n");
++
++ return len;
+ }
+
+ static void _get_random_bytes(void *buf, size_t nbytes)
+@@ -1013,7 +1016,7 @@ void add_device_randomness(const void *b
+ unsigned long flags;
+
+ if (!crng_ready() && size)
+- crng_slow_load(buf, size);
++ crng_pre_init_inject(buf, size, false, false);
+
+ spin_lock_irqsave(&input_pool.lock, flags);
+ _mix_pool_bytes(buf, size);
+@@ -1130,7 +1133,7 @@ void add_hwgenerator_randomness(const vo
+ size_t entropy)
+ {
+ if (unlikely(crng_init == 0)) {
+- size_t ret = crng_fast_load(buffer, count);
++ size_t ret = crng_pre_init_inject(buffer, count, false, true);
+ mix_pool_bytes(buffer, ret);
+ count -= ret;
+ buffer += ret;
+@@ -1293,7 +1296,8 @@ void add_interrupt_randomness(int irq)
+
+ if (unlikely(crng_init == 0)) {
+ if (new_count >= 64 &&
+- crng_fast_load(fast_pool->pool32, sizeof(fast_pool->pool32)) > 0) {
++ crng_pre_init_inject(fast_pool->pool32, sizeof(fast_pool->pool32),
++ true, true) > 0) {
+ atomic_set(&fast_pool->count, 0);
+ fast_pool->last = now;
+ if (spin_trylock(&input_pool.lock)) {
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 21 Dec 2021 16:31:27 +0100
+Subject: random: use BLAKE2s instead of SHA1 in extraction
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 9f9eff85a008b095eafc5f4ecbaf5aca689271c1 upstream.
+
+This commit addresses one of the lower hanging fruits of the RNG: its
+usage of SHA1.
+
+BLAKE2s is generally faster, and certainly more secure, than SHA1, which
+has [1] been [2] really [3] very [4] broken [5]. Additionally, the
+current construction in the RNG doesn't use the full SHA1 function, as
+specified, and allows overwriting the IV with RDRAND output in an
+undocumented way, even in the case when RDRAND isn't set to "trusted",
+which means potential malicious IV choices. And its short length means
+that keeping only half of it secret when feeding back into the mixer
+gives us only 2^80 bits of forward secrecy. In other words, not only is
+the choice of hash function dated, but the use of it isn't really great
+either.
+
+This commit aims to fix both of these issues while also keeping the
+general structure and semantics as close to the original as possible.
+Specifically:
+
+ a) Rather than overwriting the hash IV with RDRAND, we put it into
+ BLAKE2's documented "salt" and "personal" fields, which were
+ specifically created for this type of usage.
+ b) Since this function feeds the full hash result back into the
+ entropy collector, we only return from it half the length of the
+ hash, just as it was done before. This increases the
+ construction's forward secrecy from 2^80 to a much more
+ comfortable 2^128.
+ c) Rather than using the raw "sha1_transform" function alone, we
+ instead use the full proper BLAKE2s function, with finalization.
+
+This also has the advantage of supplying 16 bytes at a time rather than
+SHA1's 10 bytes, which, in addition to having a faster compression
+function to begin with, means faster extraction in general. On an Intel
+i7-11850H, this commit makes initial seeding around 131% faster.
+
+BLAKE2s itself has the nice property of internally being based on the
+ChaCha permutation, which the RNG is already using for expansion, so
+there shouldn't be any issue with newness, funkiness, or surprising CPU
+behavior, since it's based on something already in use.
+
+[1] https://eprint.iacr.org/2005/010.pdf
+[2] https://www.iacr.org/archive/crypto2005/36210017/36210017.pdf
+[3] https://eprint.iacr.org/2015/967.pdf
+[4] https://shattered.io/static/shattered.pdf
+[5] https://www.usenix.org/system/files/sec20-leurent.pdf
+
+Reviewed-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 70 +++++++++++++++++++++-----------------------------
+ 1 file changed, 30 insertions(+), 40 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1,8 +1,7 @@
+ /*
+ * random.c -- A strong random number generator
+ *
+- * Copyright (C) 2017 Jason A. Donenfeld <Jason@zx2c4.com>. All
+- * Rights Reserved.
++ * Copyright (C) 2017-2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ *
+ * Copyright Matt Mackall <mpm@selenic.com>, 2003, 2004, 2005
+ *
+@@ -78,12 +77,12 @@
+ * an *estimate* of how many bits of randomness have been stored into
+ * the random number generator's internal state.
+ *
+- * When random bytes are desired, they are obtained by taking the SHA
+- * hash of the contents of the "entropy pool". The SHA hash avoids
++ * When random bytes are desired, they are obtained by taking the BLAKE2s
++ * hash of the contents of the "entropy pool". The BLAKE2s hash avoids
+ * exposing the internal state of the entropy pool. It is believed to
+ * be computationally infeasible to derive any useful information
+- * about the input of SHA from its output. Even if it is possible to
+- * analyze SHA in some clever way, as long as the amount of data
++ * about the input of BLAKE2s from its output. Even if it is possible to
++ * analyze BLAKE2s in some clever way, as long as the amount of data
+ * returned from the generator is less than the inherent entropy in
+ * the pool, the output data is totally unpredictable. For this
+ * reason, the routine decreases its internal estimate of how many
+@@ -93,7 +92,7 @@
+ * If this estimate goes to zero, the routine can still generate
+ * random numbers; however, an attacker may (at least in theory) be
+ * able to infer the future output of the generator from prior
+- * outputs. This requires successful cryptanalysis of SHA, which is
++ * outputs. This requires successful cryptanalysis of BLAKE2s, which is
+ * not believed to be feasible, but there is a remote possibility.
+ * Nonetheless, these numbers should be useful for the vast majority
+ * of purposes.
+@@ -348,6 +347,7 @@
+ #include <linux/completion.h>
+ #include <linux/uuid.h>
+ #include <crypto/chacha20.h>
++#include <crypto/blake2s.h>
+
+ #include <asm/processor.h>
+ #include <linux/uaccess.h>
+@@ -367,10 +367,7 @@
+ #define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5))
+ #define OUTPUT_POOL_SHIFT 10
+ #define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5))
+-#define EXTRACT_SIZE 10
+-
+-
+-#define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long))
++#define EXTRACT_SIZE (BLAKE2S_HASH_SIZE / 2)
+
+ /*
+ * To allow fractional bits to be tracked, the entropy_count field is
+@@ -406,7 +403,7 @@ static int random_write_wakeup_bits = 28
+ * Thanks to Colin Plumb for suggesting this.
+ *
+ * The mixing operation is much less sensitive than the output hash,
+- * where we use SHA-1. All that we want of mixing operation is that
++ * where we use BLAKE2s. All that we want of mixing operation is that
+ * it be a good non-cryptographic hash; i.e. it not produce collisions
+ * when fed "random" data of the sort we expect to see. As long as
+ * the pool state differs for different inputs, we have preserved the
+@@ -1397,56 +1394,49 @@ retry:
+ */
+ static void extract_buf(struct entropy_store *r, __u8 *out)
+ {
+- int i;
+- union {
+- __u32 w[5];
+- unsigned long l[LONGS(20)];
+- } hash;
+- __u32 workspace[SHA_WORKSPACE_WORDS];
++ struct blake2s_state state __aligned(__alignof__(unsigned long));
++ u8 hash[BLAKE2S_HASH_SIZE];
++ unsigned long *salt;
+ unsigned long flags;
+
++ blake2s_init(&state, sizeof(hash));
++
+ /*
+ * If we have an architectural hardware random number
+- * generator, use it for SHA's initial vector
++ * generator, use it for BLAKE2's salt & personal fields.
+ */
+- sha_init(hash.w);
+- for (i = 0; i < LONGS(20); i++) {
++ for (salt = (unsigned long *)&state.h[4];
++ salt < (unsigned long *)&state.h[8]; ++salt) {
+ unsigned long v;
+ if (!arch_get_random_long(&v))
+ break;
+- hash.l[i] = v;
++ *salt ^= v;
+ }
+
+- /* Generate a hash across the pool, 16 words (512 bits) at a time */
++ /* Generate a hash across the pool */
+ spin_lock_irqsave(&r->lock, flags);
+- for (i = 0; i < r->poolinfo->poolwords; i += 16)
+- sha_transform(hash.w, (__u8 *)(r->pool + i), workspace);
++ blake2s_update(&state, (const u8 *)r->pool,
++ r->poolinfo->poolwords * sizeof(*r->pool));
++ blake2s_final(&state, hash); /* final zeros out state */
+
+ /*
+ * We mix the hash back into the pool to prevent backtracking
+ * attacks (where the attacker knows the state of the pool
+ * plus the current outputs, and attempts to find previous
+- * ouputs), unless the hash function can be inverted. By
+- * mixing at least a SHA1 worth of hash data back, we make
++ * outputs), unless the hash function can be inverted. By
++ * mixing at least a hash worth of hash data back, we make
+ * brute-forcing the feedback as hard as brute-forcing the
+ * hash.
+ */
+- __mix_pool_bytes(r, hash.w, sizeof(hash.w));
++ __mix_pool_bytes(r, hash, sizeof(hash));
+ spin_unlock_irqrestore(&r->lock, flags);
+
+- memzero_explicit(workspace, sizeof(workspace));
+-
+- /*
+- * In case the hash function has some recognizable output
+- * pattern, we fold it in half. Thus, we always feed back
+- * twice as much data as we output.
++ /* Note that EXTRACT_SIZE is half of hash size here, because above
++ * we've dumped the full length back into mixer. By reducing the
++ * amount that we emit, we retain a level of forward secrecy.
+ */
+- hash.w[0] ^= hash.w[3];
+- hash.w[1] ^= hash.w[4];
+- hash.w[2] ^= rol32(hash.w[2], 16);
+-
+- memcpy(out, &hash, EXTRACT_SIZE);
+- memzero_explicit(&hash, sizeof(hash));
++ memcpy(out, hash, EXTRACT_SIZE);
++ memzero_explicit(hash, sizeof(hash));
+ }
+
+ static ssize_t _extract_entropy(struct entropy_store *r, void *buf,
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 16 Jan 2022 14:23:10 +0100
+Subject: random: use computational hash for entropy extraction
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 6e8ec2552c7d13991148e551e3325a624d73fac6 upstream.
+
+The current 4096-bit LFSR used for entropy collection had a few
+desirable attributes for the context in which it was created. For
+example, the state was huge, which meant that /dev/random would be able
+to output quite a bit of accumulated entropy before blocking. It was
+also, in its time, quite fast at accumulating entropy byte-by-byte,
+which matters given the varying contexts in which mix_pool_bytes() is
+called. And its diffusion was relatively high, which meant that changes
+would ripple across several words of state rather quickly.
+
+However, it also suffers from a few security vulnerabilities. In
+particular, inputs learned by an attacker can be undone, but moreover,
+if the state of the pool leaks, its contents can be controlled and
+entirely zeroed out. I've demonstrated this attack with this SMT2
+script, <https://xn--4db.cc/5o9xO8pb>, which Boolector/CaDiCal solves in
+a matter of seconds on a single core of my laptop, resulting in little
+proof of concept C demonstrators such as <https://xn--4db.cc/jCkvvIaH/c>.
+
+For basically all recent formal models of RNGs, these attacks represent
+a significant cryptographic flaw. But how does this manifest
+practically? If an attacker has access to the system to such a degree
+that he can learn the internal state of the RNG, arguably there are
+other lower hanging vulnerabilities -- side-channel, infoleak, or
+otherwise -- that might have higher priority. On the other hand, seed
+files are frequently used on systems that have a hard time generating
+much entropy on their own, and these seed files, being files, often leak
+or are duplicated and distributed accidentally, or are even seeded over
+the Internet intentionally, where their contents might be recorded or
+tampered with. Seen this way, an otherwise quasi-implausible
+vulnerability is a bit more practical than initially thought.
+
+Another aspect of the current mix_pool_bytes() function is that, while
+its performance was arguably competitive for the time in which it was
+created, it's no longer considered so. This patch improves performance
+significantly: on a high-end CPU, an i7-11850H, it improves performance
+of mix_pool_bytes() by 225%, and on a low-end CPU, a Cortex-A7, it
+improves performance by 103%.
+
+This commit replaces the LFSR of mix_pool_bytes() with a straight-
+forward cryptographic hash function, BLAKE2s, which is already in use
+for pool extraction. Universal hashing with a secret seed was considered
+too, something along the lines of <https://eprint.iacr.org/2013/338>,
+but the requirement for a secret seed makes for a chicken & egg problem.
+Instead we go with a formally proven scheme using a computational hash
+function, described in sections 5.1, 6.4, and B.1.8 of
+<https://eprint.iacr.org/2019/198>.
+
+BLAKE2s outputs 256 bits, which should give us an appropriate amount of
+min-entropy accumulation, and a wide enough margin of collision
+resistance against active attacks. mix_pool_bytes() becomes a simple
+call to blake2s_update(), for accumulation, while the extraction step
+becomes a blake2s_final() to generate a seed, with which we can then do
+a HKDF-like or BLAKE2X-like expansion, the first part of which we fold
+back as an init key for subsequent blake2s_update()s, and the rest we
+produce to the caller. This then is provided to our CRNG like usual. In
+that expansion step, we make opportunistic use of 32 bytes of RDRAND
+output, just as before. We also always reseed the crng with 32 bytes,
+unconditionally, or not at all, rather than sometimes with 16 as before,
+as we don't win anything by limiting beyond the 16 byte threshold.
+
+Going for a hash function as an entropy collector is a conservative,
+proven approach. The result of all this is a much simpler and much less
+bespoke construction than what's there now, which not only plugs a
+vulnerability but also improves performance considerably.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 304 +++++++++-----------------------------------------
+ 1 file changed, 55 insertions(+), 249 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -42,61 +42,6 @@
+ */
+
+ /*
+- * (now, with legal B.S. out of the way.....)
+- *
+- * This routine gathers environmental noise from device drivers, etc.,
+- * and returns good random numbers, suitable for cryptographic use.
+- * Besides the obvious cryptographic uses, these numbers are also good
+- * for seeding TCP sequence numbers, and other places where it is
+- * desirable to have numbers which are not only random, but hard to
+- * predict by an attacker.
+- *
+- * Theory of operation
+- * ===================
+- *
+- * Computers are very predictable devices. Hence it is extremely hard
+- * to produce truly random numbers on a computer --- as opposed to
+- * pseudo-random numbers, which can easily generated by using a
+- * algorithm. Unfortunately, it is very easy for attackers to guess
+- * the sequence of pseudo-random number generators, and for some
+- * applications this is not acceptable. So instead, we must try to
+- * gather "environmental noise" from the computer's environment, which
+- * must be hard for outside attackers to observe, and use that to
+- * generate random numbers. In a Unix environment, this is best done
+- * from inside the kernel.
+- *
+- * Sources of randomness from the environment include inter-keyboard
+- * timings, inter-interrupt timings from some interrupts, and other
+- * events which are both (a) non-deterministic and (b) hard for an
+- * outside observer to measure. Randomness from these sources are
+- * added to an "entropy pool", which is mixed using a CRC-like function.
+- * This is not cryptographically strong, but it is adequate assuming
+- * the randomness is not chosen maliciously, and it is fast enough that
+- * the overhead of doing it on every interrupt is very reasonable.
+- * As random bytes are mixed into the entropy pool, the routines keep
+- * an *estimate* of how many bits of randomness have been stored into
+- * the random number generator's internal state.
+- *
+- * When random bytes are desired, they are obtained by taking the BLAKE2s
+- * hash of the contents of the "entropy pool". The BLAKE2s hash avoids
+- * exposing the internal state of the entropy pool. It is believed to
+- * be computationally infeasible to derive any useful information
+- * about the input of BLAKE2s from its output. Even if it is possible to
+- * analyze BLAKE2s in some clever way, as long as the amount of data
+- * returned from the generator is less than the inherent entropy in
+- * the pool, the output data is totally unpredictable. For this
+- * reason, the routine decreases its internal estimate of how many
+- * bits of "true randomness" are contained in the entropy pool as it
+- * outputs random numbers.
+- *
+- * If this estimate goes to zero, the routine can still generate
+- * random numbers; however, an attacker may (at least in theory) be
+- * able to infer the future output of the generator from prior
+- * outputs. This requires successful cryptanalysis of BLAKE2s, which is
+- * not believed to be feasible, but there is a remote possibility.
+- * Nonetheless, these numbers should be useful for the vast majority
+- * of purposes.
+- *
+ * Exported interfaces ---- output
+ * ===============================
+ *
+@@ -298,23 +243,6 @@
+ *
+ * mknod /dev/random c 1 8
+ * mknod /dev/urandom c 1 9
+- *
+- * Acknowledgements:
+- * =================
+- *
+- * Ideas for constructing this random number generator were derived
+- * from Pretty Good Privacy's random number generator, and from private
+- * discussions with Phil Karn. Colin Plumb provided a faster random
+- * number generator, which speed up the mixing function of the entropy
+- * pool, taken from PGPfone. Dale Worley has also contributed many
+- * useful ideas and suggestions to improve this driver.
+- *
+- * Any flaws in the design are solely my responsibility, and should
+- * not be attributed to the Phil, Colin, or any of authors of PGP.
+- *
+- * Further background information on this topic may be obtained from
+- * RFC 1750, "Randomness Recommendations for Security", by Donald
+- * Eastlake, Steve Crocker, and Jeff Schiller.
+ */
+
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+@@ -358,79 +286,15 @@
+
+ /* #define ADD_INTERRUPT_BENCH */
+
+-/*
+- * If the entropy count falls under this number of bits, then we
+- * should wake up processes which are selecting or polling on write
+- * access to /dev/random.
+- */
+-static int random_write_wakeup_bits = 28 * (1 << 5);
+-
+-/*
+- * Originally, we used a primitive polynomial of degree .poolwords
+- * over GF(2). The taps for various sizes are defined below. They
+- * were chosen to be evenly spaced except for the last tap, which is 1
+- * to get the twisting happening as fast as possible.
+- *
+- * For the purposes of better mixing, we use the CRC-32 polynomial as
+- * well to make a (modified) twisted Generalized Feedback Shift
+- * Register. (See M. Matsumoto & Y. Kurita, 1992. Twisted GFSR
+- * generators. ACM Transactions on Modeling and Computer Simulation
+- * 2(3):179-194. Also see M. Matsumoto & Y. Kurita, 1994. Twisted
+- * GFSR generators II. ACM Transactions on Modeling and Computer
+- * Simulation 4:254-266)
+- *
+- * Thanks to Colin Plumb for suggesting this.
+- *
+- * The mixing operation is much less sensitive than the output hash,
+- * where we use BLAKE2s. All that we want of mixing operation is that
+- * it be a good non-cryptographic hash; i.e. it not produce collisions
+- * when fed "random" data of the sort we expect to see. As long as
+- * the pool state differs for different inputs, we have preserved the
+- * input entropy and done a good job. The fact that an intelligent
+- * attacker can construct inputs that will produce controlled
+- * alterations to the pool's state is not important because we don't
+- * consider such inputs to contribute any randomness. The only
+- * property we need with respect to them is that the attacker can't
+- * increase his/her knowledge of the pool's state. Since all
+- * additions are reversible (knowing the final state and the input,
+- * you can reconstruct the initial state), if an attacker has any
+- * uncertainty about the initial state, he/she can only shuffle that
+- * uncertainty about, but never cause any collisions (which would
+- * decrease the uncertainty).
+- *
+- * Our mixing functions were analyzed by Lacharme, Roeck, Strubel, and
+- * Videau in their paper, "The Linux Pseudorandom Number Generator
+- * Revisited" (see: http://eprint.iacr.org/2012/251.pdf). In their
+- * paper, they point out that we are not using a true Twisted GFSR,
+- * since Matsumoto & Kurita used a trinomial feedback polynomial (that
+- * is, with only three taps, instead of the six that we are using).
+- * As a result, the resulting polynomial is neither primitive nor
+- * irreducible, and hence does not have a maximal period over
+- * GF(2**32). They suggest a slight change to the generator
+- * polynomial which improves the resulting TGFSR polynomial to be
+- * irreducible, which we have made here.
+- */
+ enum poolinfo {
+- POOL_WORDS = 128,
+- POOL_WORDMASK = POOL_WORDS - 1,
+- POOL_BYTES = POOL_WORDS * sizeof(u32),
+- POOL_BITS = POOL_BYTES * 8,
++ POOL_BITS = BLAKE2S_HASH_SIZE * 8,
+ POOL_BITSHIFT = ilog2(POOL_BITS),
+
+ /* To allow fractional bits to be tracked, the entropy_count field is
+ * denominated in units of 1/8th bits. */
+ POOL_ENTROPY_SHIFT = 3,
+ #define POOL_ENTROPY_BITS() (input_pool.entropy_count >> POOL_ENTROPY_SHIFT)
+- POOL_FRACBITS = POOL_BITS << POOL_ENTROPY_SHIFT,
+-
+- /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */
+- POOL_TAP1 = 104,
+- POOL_TAP2 = 76,
+- POOL_TAP3 = 51,
+- POOL_TAP4 = 25,
+- POOL_TAP5 = 1,
+-
+- EXTRACT_SIZE = BLAKE2S_HASH_SIZE / 2
++ POOL_FRACBITS = POOL_BITS << POOL_ENTROPY_SHIFT
+ };
+
+ /*
+@@ -438,6 +302,12 @@ enum poolinfo {
+ */
+ static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
+ static struct fasync_struct *fasync;
++/*
++ * If the entropy count falls under this number of bits, then we
++ * should wake up processes which are selecting or polling on write
++ * access to /dev/random.
++ */
++static int random_write_wakeup_bits = POOL_BITS * 3 / 4;
+
+ static DEFINE_SPINLOCK(random_ready_list_lock);
+ static LIST_HEAD(random_ready_list);
+@@ -493,73 +363,31 @@ MODULE_PARM_DESC(ratelimit_disable, "Dis
+ *
+ **********************************************************************/
+
+-static u32 input_pool_data[POOL_WORDS] __latent_entropy;
+-
+ static struct {
++ struct blake2s_state hash;
+ spinlock_t lock;
+- u16 add_ptr;
+- u16 input_rotate;
+ int entropy_count;
+ } input_pool = {
++ .hash.h = { BLAKE2S_IV0 ^ (0x01010000 | BLAKE2S_HASH_SIZE),
++ BLAKE2S_IV1, BLAKE2S_IV2, BLAKE2S_IV3, BLAKE2S_IV4,
++ BLAKE2S_IV5, BLAKE2S_IV6, BLAKE2S_IV7 },
++ .hash.outlen = BLAKE2S_HASH_SIZE,
+ .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
+ };
+
+-static ssize_t extract_entropy(void *buf, size_t nbytes, int min);
+-static ssize_t _extract_entropy(void *buf, size_t nbytes);
++static bool extract_entropy(void *buf, size_t nbytes, int min);
++static void _extract_entropy(void *buf, size_t nbytes);
+
+ static void crng_reseed(struct crng_state *crng, bool use_input_pool);
+
+-static const u32 twist_table[8] = {
+- 0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
+- 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };
+-
+ /*
+ * This function adds bytes into the entropy "pool". It does not
+ * update the entropy estimate. The caller should call
+ * credit_entropy_bits if this is appropriate.
+- *
+- * The pool is stirred with a primitive polynomial of the appropriate
+- * degree, and then twisted. We twist by three bits at a time because
+- * it's cheap to do so and helps slightly in the expected case where
+- * the entropy is concentrated in the low-order bits.
+ */
+ static void _mix_pool_bytes(const void *in, int nbytes)
+ {
+- unsigned long i;
+- int input_rotate;
+- const u8 *bytes = in;
+- u32 w;
+-
+- input_rotate = input_pool.input_rotate;
+- i = input_pool.add_ptr;
+-
+- /* mix one byte at a time to simplify size handling and churn faster */
+- while (nbytes--) {
+- w = rol32(*bytes++, input_rotate);
+- i = (i - 1) & POOL_WORDMASK;
+-
+- /* XOR in the various taps */
+- w ^= input_pool_data[i];
+- w ^= input_pool_data[(i + POOL_TAP1) & POOL_WORDMASK];
+- w ^= input_pool_data[(i + POOL_TAP2) & POOL_WORDMASK];
+- w ^= input_pool_data[(i + POOL_TAP3) & POOL_WORDMASK];
+- w ^= input_pool_data[(i + POOL_TAP4) & POOL_WORDMASK];
+- w ^= input_pool_data[(i + POOL_TAP5) & POOL_WORDMASK];
+-
+- /* Mix the result back in with a twist */
+- input_pool_data[i] = (w >> 3) ^ twist_table[w & 7];
+-
+- /*
+- * Normally, we add 7 bits of rotation to the pool.
+- * At the beginning of the pool, add an extra 7 bits
+- * rotation, so that successive passes spread the
+- * input bits across the pool evenly.
+- */
+- input_rotate = (input_rotate + (i ? 7 : 14)) & 31;
+- }
+-
+- input_pool.input_rotate = input_rotate;
+- input_pool.add_ptr = i;
++ blake2s_update(&input_pool.hash, in, nbytes);
+ }
+
+ static void __mix_pool_bytes(const void *in, int nbytes)
+@@ -952,15 +780,14 @@ static int crng_slow_load(const u8 *cp,
+ static void crng_reseed(struct crng_state *crng, bool use_input_pool)
+ {
+ unsigned long flags;
+- int i, num;
++ int i;
+ union {
+ u8 block[CHACHA20_BLOCK_SIZE];
+ u32 key[8];
+ } buf;
+
+ if (use_input_pool) {
+- num = extract_entropy(&buf, 32, 16);
+- if (num == 0)
++ if (!extract_entropy(&buf, 32, 16))
+ return;
+ } else {
+ _extract_crng(&primary_crng, buf.block);
+@@ -1328,74 +1155,48 @@ retry:
+ }
+
+ /*
+- * This function does the actual extraction for extract_entropy.
+- *
+- * Note: we assume that .poolwords is a multiple of 16 words.
++ * This is an HKDF-like construction for using the hashed collected entropy
++ * as a PRF key, that's then expanded block-by-block.
+ */
+-static void extract_buf(u8 *out)
++static void _extract_entropy(void *buf, size_t nbytes)
+ {
+- struct blake2s_state state __aligned(__alignof__(unsigned long));
+- u8 hash[BLAKE2S_HASH_SIZE];
+- unsigned long *salt;
+ unsigned long flags;
+-
+- blake2s_init(&state, sizeof(hash));
+-
+- /*
+- * If we have an architectural hardware random number
+- * generator, use it for BLAKE2's salt & personal fields.
+- */
+- for (salt = (unsigned long *)&state.h[4];
+- salt < (unsigned long *)&state.h[8]; ++salt) {
+- unsigned long v;
+- if (!arch_get_random_long(&v))
+- break;
+- *salt ^= v;
++ u8 seed[BLAKE2S_HASH_SIZE], next_key[BLAKE2S_HASH_SIZE];
++ struct {
++ unsigned long rdrand[32 / sizeof(long)];
++ size_t counter;
++ } block;
++ size_t i;
++
++ for (i = 0; i < ARRAY_SIZE(block.rdrand); ++i) {
++ if (!arch_get_random_long(&block.rdrand[i]))
++ block.rdrand[i] = random_get_entropy();
+ }
+
+- /* Generate a hash across the pool */
+ spin_lock_irqsave(&input_pool.lock, flags);
+- blake2s_update(&state, (const u8 *)input_pool_data, POOL_BYTES);
+- blake2s_final(&state, hash); /* final zeros out state */
+
+- /*
+- * We mix the hash back into the pool to prevent backtracking
+- * attacks (where the attacker knows the state of the pool
+- * plus the current outputs, and attempts to find previous
+- * outputs), unless the hash function can be inverted. By
+- * mixing at least a hash worth of hash data back, we make
+- * brute-forcing the feedback as hard as brute-forcing the
+- * hash.
+- */
+- __mix_pool_bytes(hash, sizeof(hash));
+- spin_unlock_irqrestore(&input_pool.lock, flags);
++ /* seed = HASHPRF(last_key, entropy_input) */
++ blake2s_final(&input_pool.hash, seed);
+
+- /* Note that EXTRACT_SIZE is half of hash size here, because above
+- * we've dumped the full length back into mixer. By reducing the
+- * amount that we emit, we retain a level of forward secrecy.
+- */
+- memcpy(out, hash, EXTRACT_SIZE);
+- memzero_explicit(hash, sizeof(hash));
+-}
++ /* next_key = HASHPRF(seed, RDRAND || 0) */
++ block.counter = 0;
++ blake2s(next_key, (u8 *)&block, seed, sizeof(next_key), sizeof(block), sizeof(seed));
++ blake2s_init_key(&input_pool.hash, BLAKE2S_HASH_SIZE, next_key, sizeof(next_key));
+
+-static ssize_t _extract_entropy(void *buf, size_t nbytes)
+-{
+- ssize_t ret = 0, i;
+- u8 tmp[EXTRACT_SIZE];
++ spin_unlock_irqrestore(&input_pool.lock, flags);
++ memzero_explicit(next_key, sizeof(next_key));
+
+ while (nbytes) {
+- extract_buf(tmp);
+- i = min_t(int, nbytes, EXTRACT_SIZE);
+- memcpy(buf, tmp, i);
++ i = min_t(size_t, nbytes, BLAKE2S_HASH_SIZE);
++ /* output = HASHPRF(seed, RDRAND || ++counter) */
++ ++block.counter;
++ blake2s(buf, (u8 *)&block, seed, i, sizeof(block), sizeof(seed));
+ nbytes -= i;
+ buf += i;
+- ret += i;
+ }
+
+- /* Wipe data just returned from memory */
+- memzero_explicit(tmp, sizeof(tmp));
+-
+- return ret;
++ memzero_explicit(seed, sizeof(seed));
++ memzero_explicit(&block, sizeof(block));
+ }
+
+ /*
+@@ -1403,13 +1204,18 @@ static ssize_t _extract_entropy(void *bu
+ * returns it in a buffer.
+ *
+ * The min parameter specifies the minimum amount we can pull before
+- * failing to avoid races that defeat catastrophic reseeding.
++ * failing to avoid races that defeat catastrophic reseeding. If we
++ * have less than min entropy available, we return false and buf is
++ * not filled.
+ */
+-static ssize_t extract_entropy(void *buf, size_t nbytes, int min)
++static bool extract_entropy(void *buf, size_t nbytes, int min)
+ {
+ trace_extract_entropy(nbytes, POOL_ENTROPY_BITS(), _RET_IP_);
+- nbytes = account(nbytes, min);
+- return _extract_entropy(buf, nbytes);
++ if (account(nbytes, min)) {
++ _extract_entropy(buf, nbytes);
++ return true;
++ }
++ return false;
+ }
+
+ #define warn_unseeded_randomness(previous) \
+@@ -1673,7 +1479,7 @@ static void __init init_std_data(void)
+ unsigned long rv;
+
+ mix_pool_bytes(&now, sizeof(now));
+- for (i = POOL_BYTES; i > 0; i -= sizeof(rv)) {
++ for (i = BLAKE2S_BLOCK_SIZE; i > 0; i -= sizeof(rv)) {
+ if (!arch_get_random_seed_long(&rv) &&
+ !arch_get_random_long(&rv))
+ rv = random_get_entropy();
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 8 Feb 2022 19:23:17 +0100
+Subject: random: use hash function for crng_slow_load()
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 66e4c2b9541503d721e936cc3898c9f25f4591ff upstream.
+
+Since we have a hash function that's really fast, and the goal of
+crng_slow_load() is reportedly to "touch all of the crng's state", we
+can just hash the old state together with the new state and call it a
+day. This way we dont need to reason about another LFSR or worry about
+various attacks there. This code is only ever used at early boot and
+then never again.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 163 +++++++++++++++++-------------------------
+ include/linux/hw_random.h | 2
+ include/linux/random.h | 10 +-
+ include/trace/events/random.h | 79 +++++++++-----------
+ 4 files changed, 113 insertions(+), 141 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -69,7 +69,7 @@
+ *
+ * The primary kernel interfaces are:
+ *
+- * void get_random_bytes(void *buf, int nbytes);
++ * void get_random_bytes(void *buf, size_t nbytes);
+ * u32 get_random_u32()
+ * u64 get_random_u64()
+ * unsigned int get_random_int()
+@@ -97,14 +97,14 @@
+ * The current exported interfaces for gathering environmental noise
+ * from the devices are:
+ *
+- * void add_device_randomness(const void *buf, unsigned int size);
++ * void add_device_randomness(const void *buf, size_t size);
+ * void add_input_randomness(unsigned int type, unsigned int code,
+ * unsigned int value);
+ * void add_interrupt_randomness(int irq);
+ * void add_disk_randomness(struct gendisk *disk);
+- * void add_hwgenerator_randomness(const char *buffer, size_t count,
++ * void add_hwgenerator_randomness(const void *buffer, size_t count,
+ * size_t entropy);
+- * void add_bootloader_randomness(const void *buf, unsigned int size);
++ * void add_bootloader_randomness(const void *buf, size_t size);
+ *
+ * add_device_randomness() is for adding data to the random pool that
+ * is likely to differ between two devices (or possibly even per boot).
+@@ -268,7 +268,7 @@ static int crng_init = 0;
+ #define crng_ready() (likely(crng_init > 1))
+ static int crng_init_cnt = 0;
+ static void process_random_ready_list(void);
+-static void _get_random_bytes(void *buf, int nbytes);
++static void _get_random_bytes(void *buf, size_t nbytes);
+
+ static struct ratelimit_state unseeded_warning =
+ RATELIMIT_STATE_INIT("warn_unseeded_randomness", HZ, 3);
+@@ -290,7 +290,7 @@ MODULE_PARM_DESC(ratelimit_disable, "Dis
+ static struct {
+ struct blake2s_state hash;
+ spinlock_t lock;
+- int entropy_count;
++ unsigned int entropy_count;
+ } input_pool = {
+ .hash.h = { BLAKE2S_IV0 ^ (0x01010000 | BLAKE2S_HASH_SIZE),
+ BLAKE2S_IV1, BLAKE2S_IV2, BLAKE2S_IV3, BLAKE2S_IV4,
+@@ -308,18 +308,12 @@ static void crng_reseed(void);
+ * update the entropy estimate. The caller should call
+ * credit_entropy_bits if this is appropriate.
+ */
+-static void _mix_pool_bytes(const void *in, int nbytes)
++static void _mix_pool_bytes(const void *in, size_t nbytes)
+ {
+ blake2s_update(&input_pool.hash, in, nbytes);
+ }
+
+-static void __mix_pool_bytes(const void *in, int nbytes)
+-{
+- trace_mix_pool_bytes_nolock(nbytes, _RET_IP_);
+- _mix_pool_bytes(in, nbytes);
+-}
+-
+-static void mix_pool_bytes(const void *in, int nbytes)
++static void mix_pool_bytes(const void *in, size_t nbytes)
+ {
+ unsigned long flags;
+
+@@ -383,18 +377,18 @@ static void process_random_ready_list(vo
+ spin_unlock_irqrestore(&random_ready_list_lock, flags);
+ }
+
+-static void credit_entropy_bits(int nbits)
++static void credit_entropy_bits(size_t nbits)
+ {
+- int entropy_count, orig;
++ unsigned int entropy_count, orig, add;
+
+- if (nbits <= 0)
++ if (!nbits)
+ return;
+
+- nbits = min(nbits, POOL_BITS);
++ add = min_t(size_t, nbits, POOL_BITS);
+
+ do {
+ orig = READ_ONCE(input_pool.entropy_count);
+- entropy_count = min(POOL_BITS, orig + nbits);
++ entropy_count = min_t(unsigned int, POOL_BITS, orig + add);
+ } while (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig);
+
+ trace_credit_entropy_bits(nbits, entropy_count, _RET_IP_);
+@@ -441,10 +435,10 @@ static void invalidate_batched_entropy(v
+ * path. So we can't afford to dilly-dally. Returns the number of
+ * bytes processed from cp.
+ */
+-static size_t crng_fast_load(const u8 *cp, size_t len)
++static size_t crng_fast_load(const void *cp, size_t len)
+ {
+ unsigned long flags;
+- u8 *p;
++ const u8 *src = (const u8 *)cp;
+ size_t ret = 0;
+
+ if (!spin_trylock_irqsave(&base_crng.lock, flags))
+@@ -453,10 +447,9 @@ static size_t crng_fast_load(const u8 *c
+ spin_unlock_irqrestore(&base_crng.lock, flags);
+ return 0;
+ }
+- p = base_crng.key;
+ while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) {
+- p[crng_init_cnt % sizeof(base_crng.key)] ^= *cp;
+- cp++; crng_init_cnt++; len--; ret++;
++ base_crng.key[crng_init_cnt % sizeof(base_crng.key)] ^= *src;
++ src++; crng_init_cnt++; len--; ret++;
+ }
+ if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
+ invalidate_batched_entropy();
+@@ -475,42 +468,30 @@ static size_t crng_fast_load(const u8 *c
+ * all), and (2) it doesn't have the performance constraints of
+ * crng_fast_load().
+ *
+- * So we do something more comprehensive which is guaranteed to touch
+- * all of the primary_crng's state, and which uses a LFSR with a
+- * period of 255 as part of the mixing algorithm. Finally, we do
+- * *not* advance crng_init_cnt since buffer we may get may be something
+- * like a fixed DMI table (for example), which might very well be
+- * unique to the machine, but is otherwise unvarying.
++ * So, we simply hash the contents in with the current key. Finally,
++ * we do *not* advance crng_init_cnt since buffer we may get may be
++ * something like a fixed DMI table (for example), which might very
++ * well be unique to the machine, but is otherwise unvarying.
+ */
+-static int crng_slow_load(const u8 *cp, size_t len)
++static void crng_slow_load(const void *cp, size_t len)
+ {
+ unsigned long flags;
+- static u8 lfsr = 1;
+- u8 tmp;
+- unsigned int i, max = sizeof(base_crng.key);
+- const u8 *src_buf = cp;
+- u8 *dest_buf = base_crng.key;
++ struct blake2s_state hash;
++
++ blake2s_init(&hash, sizeof(base_crng.key));
+
+ if (!spin_trylock_irqsave(&base_crng.lock, flags))
+- return 0;
++ return;
+ if (crng_init != 0) {
+ spin_unlock_irqrestore(&base_crng.lock, flags);
+- return 0;
++ return;
+ }
+- if (len > max)
+- max = len;
+
+- for (i = 0; i < max; i++) {
+- tmp = lfsr;
+- lfsr >>= 1;
+- if (tmp & 1)
+- lfsr ^= 0xE1;
+- tmp = dest_buf[i % sizeof(base_crng.key)];
+- dest_buf[i % sizeof(base_crng.key)] ^= src_buf[i % len] ^ lfsr;
+- lfsr += (tmp << 3) | (tmp >> 5);
+- }
++ blake2s_update(&hash, base_crng.key, sizeof(base_crng.key));
++ blake2s_update(&hash, cp, len);
++ blake2s_final(&hash, base_crng.key);
++
+ spin_unlock_irqrestore(&base_crng.lock, flags);
+- return 1;
+ }
+
+ static void crng_reseed(void)
+@@ -666,14 +647,15 @@ static void crng_make_state(u32 chacha_s
+ static ssize_t get_random_bytes_user(void __user *buf, size_t nbytes)
+ {
+ bool large_request = nbytes > 256;
+- ssize_t ret = 0, len;
++ ssize_t ret = 0;
++ size_t len;
+ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)];
+ u8 output[CHACHA20_BLOCK_SIZE];
+
+ if (!nbytes)
+ return 0;
+
+- len = min_t(ssize_t, 32, nbytes);
++ len = min_t(size_t, 32, nbytes);
+ crng_make_state(chacha_state, output, len);
+
+ if (copy_to_user(buf, output, len))
+@@ -693,7 +675,7 @@ static ssize_t get_random_bytes_user(voi
+ if (unlikely(chacha_state[12] == 0))
+ ++chacha_state[13];
+
+- len = min_t(ssize_t, nbytes, CHACHA20_BLOCK_SIZE);
++ len = min_t(size_t, nbytes, CHACHA20_BLOCK_SIZE);
+ if (copy_to_user(buf, output, len)) {
+ ret = -EFAULT;
+ break;
+@@ -731,7 +713,7 @@ struct timer_rand_state {
+ * the entropy pool having similar initial state across largely
+ * identical devices.
+ */
+-void add_device_randomness(const void *buf, unsigned int size)
++void add_device_randomness(const void *buf, size_t size)
+ {
+ unsigned long time = random_get_entropy() ^ jiffies;
+ unsigned long flags;
+@@ -759,7 +741,7 @@ static struct timer_rand_state input_tim
+ * keyboard scan codes, and 256 upwards for interrupts.
+ *
+ */
+-static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
++static void add_timer_randomness(struct timer_rand_state *state, unsigned int num)
+ {
+ struct {
+ long jiffies;
+@@ -803,7 +785,7 @@ static void add_timer_randomness(struct
+ * Round down by 1 bit on general principles,
+ * and limit entropy estimate to 12 bits.
+ */
+- credit_entropy_bits(min_t(int, fls(delta >> 1), 11));
++ credit_entropy_bits(min_t(unsigned int, fls(delta >> 1), 11));
+ }
+
+ void add_input_randomness(unsigned int type, unsigned int code,
+@@ -884,8 +866,8 @@ void add_interrupt_randomness(int irq)
+ add_interrupt_bench(cycles);
+
+ if (unlikely(crng_init == 0)) {
+- if ((fast_pool->count >= 64) &&
+- crng_fast_load((u8 *)fast_pool->pool, sizeof(fast_pool->pool)) > 0) {
++ if (fast_pool->count >= 64 &&
++ crng_fast_load(fast_pool->pool, sizeof(fast_pool->pool)) > 0) {
+ fast_pool->count = 0;
+ fast_pool->last = now;
+ if (spin_trylock(&input_pool.lock)) {
+@@ -903,7 +885,7 @@ void add_interrupt_randomness(int irq)
+ return;
+
+ fast_pool->last = now;
+- __mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool));
++ _mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool));
+ spin_unlock(&input_pool.lock);
+
+ fast_pool->count = 0;
+@@ -1012,18 +994,18 @@ static void _warn_unseeded_randomness(co
+ * wait_for_random_bytes() should be called and return 0 at least once
+ * at any point prior.
+ */
+-static void _get_random_bytes(void *buf, int nbytes)
++static void _get_random_bytes(void *buf, size_t nbytes)
+ {
+ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)];
+ u8 tmp[CHACHA20_BLOCK_SIZE];
+- ssize_t len;
++ size_t len;
+
+ trace_get_random_bytes(nbytes, _RET_IP_);
+
+ if (!nbytes)
+ return;
+
+- len = min_t(ssize_t, 32, nbytes);
++ len = min_t(size_t, 32, nbytes);
+ crng_make_state(chacha_state, buf, len);
+ nbytes -= len;
+ buf += len;
+@@ -1046,7 +1028,7 @@ static void _get_random_bytes(void *buf,
+ memzero_explicit(chacha_state, sizeof(chacha_state));
+ }
+
+-void get_random_bytes(void *buf, int nbytes)
++void get_random_bytes(void *buf, size_t nbytes)
+ {
+ static void *previous;
+
+@@ -1207,25 +1189,19 @@ EXPORT_SYMBOL(del_random_ready_callback)
+
+ /*
+ * This function will use the architecture-specific hardware random
+- * number generator if it is available. The arch-specific hw RNG will
+- * almost certainly be faster than what we can do in software, but it
+- * is impossible to verify that it is implemented securely (as
+- * opposed, to, say, the AES encryption of a sequence number using a
+- * key known by the NSA). So it's useful if we need the speed, but
+- * only if we're willing to trust the hardware manufacturer not to
+- * have put in a back door.
+- *
+- * Return number of bytes filled in.
++ * number generator if it is available. It is not recommended for
++ * use. Use get_random_bytes() instead. It returns the number of
++ * bytes filled in.
+ */
+-int __must_check get_random_bytes_arch(void *buf, int nbytes)
++size_t __must_check get_random_bytes_arch(void *buf, size_t nbytes)
+ {
+- int left = nbytes;
++ size_t left = nbytes;
+ u8 *p = buf;
+
+ trace_get_random_bytes_arch(left, _RET_IP_);
+ while (left) {
+ unsigned long v;
+- int chunk = min_t(int, left, sizeof(unsigned long));
++ size_t chunk = min_t(size_t, left, sizeof(unsigned long));
+
+ if (!arch_get_random_long(&v))
+ break;
+@@ -1258,12 +1234,12 @@ early_param("random.trust_cpu", parse_tr
+ */
+ int __init rand_initialize(void)
+ {
+- int i;
++ size_t i;
+ ktime_t now = ktime_get_real();
+ bool arch_init = true;
+ unsigned long rv;
+
+- for (i = BLAKE2S_BLOCK_SIZE; i > 0; i -= sizeof(rv)) {
++ for (i = 0; i < BLAKE2S_BLOCK_SIZE; i += sizeof(rv)) {
+ if (!arch_get_random_seed_long_early(&rv) &&
+ !arch_get_random_long_early(&rv)) {
+ rv = random_get_entropy();
+@@ -1312,7 +1288,7 @@ static ssize_t urandom_read_nowarn(struc
+
+ nbytes = min_t(size_t, nbytes, INT_MAX >> 6);
+ ret = get_random_bytes_user(buf, nbytes);
+- trace_urandom_read(8 * nbytes, 0, input_pool.entropy_count);
++ trace_urandom_read(nbytes, input_pool.entropy_count);
+ return ret;
+ }
+
+@@ -1356,19 +1332,18 @@ static unsigned int random_poll(struct f
+ return mask;
+ }
+
+-static int write_pool(const char __user *buffer, size_t count)
++static int write_pool(const char __user *ubuf, size_t count)
+ {
+- size_t bytes;
+- u8 buf[BLAKE2S_BLOCK_SIZE];
+- const char __user *p = buffer;
+-
+- while (count > 0) {
+- bytes = min(count, sizeof(buf));
+- if (copy_from_user(buf, p, bytes))
++ size_t len;
++ u8 block[BLAKE2S_BLOCK_SIZE];
++
++ while (count) {
++ len = min(count, sizeof(block));
++ if (copy_from_user(block, ubuf, len))
+ return -EFAULT;
+- count -= bytes;
+- p += bytes;
+- mix_pool_bytes(buf, bytes);
++ count -= len;
++ ubuf += len;
++ mix_pool_bytes(block, len);
+ cond_resched();
+ }
+
+@@ -1378,7 +1353,7 @@ static int write_pool(const char __user
+ static ssize_t random_write(struct file *file, const char __user *buffer,
+ size_t count, loff_t *ppos)
+ {
+- size_t ret;
++ int ret;
+
+ ret = write_pool(buffer, count);
+ if (ret)
+@@ -1472,8 +1447,6 @@ const struct file_operations urandom_fop
+ SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, unsigned int,
+ flags)
+ {
+- int ret;
+-
+ if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE))
+ return -EINVAL;
+
+@@ -1488,6 +1461,8 @@ SYSCALL_DEFINE3(getrandom, char __user *
+ count = INT_MAX;
+
+ if (!(flags & GRND_INSECURE) && !crng_ready()) {
++ int ret;
++
+ if (flags & GRND_NONBLOCK)
+ return -EAGAIN;
+ ret = wait_for_random_bytes();
+@@ -1746,7 +1721,7 @@ unsigned long randomize_page(unsigned lo
+ * Those devices may produce endless random bits and will be throttled
+ * when our pool is full.
+ */
+-void add_hwgenerator_randomness(const char *buffer, size_t count,
++void add_hwgenerator_randomness(const void *buffer, size_t count,
+ size_t entropy)
+ {
+ if (unlikely(crng_init == 0)) {
+@@ -1777,7 +1752,7 @@ EXPORT_SYMBOL_GPL(add_hwgenerator_random
+ * it would be regarded as device data.
+ * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER.
+ */
+-void add_bootloader_randomness(const void *buf, unsigned int size)
++void add_bootloader_randomness(const void *buf, size_t size)
+ {
+ if (IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER))
+ add_hwgenerator_randomness(buf, size, size * 8);
+--- a/include/linux/hw_random.h
++++ b/include/linux/hw_random.h
+@@ -60,6 +60,6 @@ extern int devm_hwrng_register(struct de
+ extern void hwrng_unregister(struct hwrng *rng);
+ extern void devm_hwrng_unregister(struct device *dve, struct hwrng *rng);
+ /** Feed random bits into the pool. */
+-extern void add_hwgenerator_randomness(const char *buffer, size_t count, size_t entropy);
++extern void add_hwgenerator_randomness(const void *buffer, size_t count, size_t entropy);
+
+ #endif /* LINUX_HWRANDOM_H_ */
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -20,8 +20,8 @@ struct random_ready_callback {
+ struct module *owner;
+ };
+
+-extern void add_device_randomness(const void *, unsigned int);
+-extern void add_bootloader_randomness(const void *, unsigned int);
++extern void add_device_randomness(const void *, size_t);
++extern void add_bootloader_randomness(const void *, size_t);
+
+ #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
+ static inline void add_latent_entropy(void)
+@@ -37,13 +37,13 @@ extern void add_input_randomness(unsigne
+ unsigned int value) __latent_entropy;
+ extern void add_interrupt_randomness(int irq) __latent_entropy;
+
+-extern void get_random_bytes(void *buf, int nbytes);
++extern void get_random_bytes(void *buf, size_t nbytes);
+ extern int wait_for_random_bytes(void);
+ extern int __init rand_initialize(void);
+ extern bool rng_is_initialized(void);
+ extern int add_random_ready_callback(struct random_ready_callback *rdy);
+ extern void del_random_ready_callback(struct random_ready_callback *rdy);
+-extern int __must_check get_random_bytes_arch(void *buf, int nbytes);
++extern size_t __must_check get_random_bytes_arch(void *buf, size_t nbytes);
+
+ #ifndef MODULE
+ extern const struct file_operations random_fops, urandom_fops;
+@@ -87,7 +87,7 @@ static inline unsigned long get_random_c
+
+ /* Calls wait_for_random_bytes() and then calls get_random_bytes(buf, nbytes).
+ * Returns the result of the call to wait_for_random_bytes. */
+-static inline int get_random_bytes_wait(void *buf, int nbytes)
++static inline int get_random_bytes_wait(void *buf, size_t nbytes)
+ {
+ int ret = wait_for_random_bytes();
+ get_random_bytes(buf, nbytes);
+--- a/include/trace/events/random.h
++++ b/include/trace/events/random.h
+@@ -9,13 +9,13 @@
+ #include <linux/tracepoint.h>
+
+ TRACE_EVENT(add_device_randomness,
+- TP_PROTO(int bytes, unsigned long IP),
++ TP_PROTO(size_t bytes, unsigned long IP),
+
+ TP_ARGS(bytes, IP),
+
+ TP_STRUCT__entry(
+- __field( int, bytes )
+- __field(unsigned long, IP )
++ __field(size_t, bytes )
++ __field(unsigned long, IP )
+ ),
+
+ TP_fast_assign(
+@@ -23,18 +23,18 @@ TRACE_EVENT(add_device_randomness,
+ __entry->IP = IP;
+ ),
+
+- TP_printk("bytes %d caller %pS",
++ TP_printk("bytes %zu caller %pS",
+ __entry->bytes, (void *)__entry->IP)
+ );
+
+ DECLARE_EVENT_CLASS(random__mix_pool_bytes,
+- TP_PROTO(int bytes, unsigned long IP),
++ TP_PROTO(size_t bytes, unsigned long IP),
+
+ TP_ARGS(bytes, IP),
+
+ TP_STRUCT__entry(
+- __field( int, bytes )
+- __field(unsigned long, IP )
++ __field(size_t, bytes )
++ __field(unsigned long, IP )
+ ),
+
+ TP_fast_assign(
+@@ -42,12 +42,12 @@ DECLARE_EVENT_CLASS(random__mix_pool_byt
+ __entry->IP = IP;
+ ),
+
+- TP_printk("input pool: bytes %d caller %pS",
++ TP_printk("input pool: bytes %zu caller %pS",
+ __entry->bytes, (void *)__entry->IP)
+ );
+
+ DEFINE_EVENT(random__mix_pool_bytes, mix_pool_bytes,
+- TP_PROTO(int bytes, unsigned long IP),
++ TP_PROTO(size_t bytes, unsigned long IP),
+
+ TP_ARGS(bytes, IP)
+ );
+@@ -59,13 +59,13 @@ DEFINE_EVENT(random__mix_pool_bytes, mix
+ );
+
+ TRACE_EVENT(credit_entropy_bits,
+- TP_PROTO(int bits, int entropy_count, unsigned long IP),
++ TP_PROTO(size_t bits, size_t entropy_count, unsigned long IP),
+
+ TP_ARGS(bits, entropy_count, IP),
+
+ TP_STRUCT__entry(
+- __field( int, bits )
+- __field( int, entropy_count )
++ __field(size_t, bits )
++ __field(size_t, entropy_count )
+ __field(unsigned long, IP )
+ ),
+
+@@ -75,34 +75,34 @@ TRACE_EVENT(credit_entropy_bits,
+ __entry->IP = IP;
+ ),
+
+- TP_printk("input pool: bits %d entropy_count %d caller %pS",
++ TP_printk("input pool: bits %zu entropy_count %zu caller %pS",
+ __entry->bits, __entry->entropy_count, (void *)__entry->IP)
+ );
+
+ TRACE_EVENT(add_input_randomness,
+- TP_PROTO(int input_bits),
++ TP_PROTO(size_t input_bits),
+
+ TP_ARGS(input_bits),
+
+ TP_STRUCT__entry(
+- __field( int, input_bits )
++ __field(size_t, input_bits )
+ ),
+
+ TP_fast_assign(
+ __entry->input_bits = input_bits;
+ ),
+
+- TP_printk("input_pool_bits %d", __entry->input_bits)
++ TP_printk("input_pool_bits %zu", __entry->input_bits)
+ );
+
+ TRACE_EVENT(add_disk_randomness,
+- TP_PROTO(dev_t dev, int input_bits),
++ TP_PROTO(dev_t dev, size_t input_bits),
+
+ TP_ARGS(dev, input_bits),
+
+ TP_STRUCT__entry(
+- __field( dev_t, dev )
+- __field( int, input_bits )
++ __field(dev_t, dev )
++ __field(size_t, input_bits )
+ ),
+
+ TP_fast_assign(
+@@ -110,17 +110,17 @@ TRACE_EVENT(add_disk_randomness,
+ __entry->input_bits = input_bits;
+ ),
+
+- TP_printk("dev %d,%d input_pool_bits %d", MAJOR(__entry->dev),
++ TP_printk("dev %d,%d input_pool_bits %zu", MAJOR(__entry->dev),
+ MINOR(__entry->dev), __entry->input_bits)
+ );
+
+ DECLARE_EVENT_CLASS(random__get_random_bytes,
+- TP_PROTO(int nbytes, unsigned long IP),
++ TP_PROTO(size_t nbytes, unsigned long IP),
+
+ TP_ARGS(nbytes, IP),
+
+ TP_STRUCT__entry(
+- __field( int, nbytes )
++ __field(size_t, nbytes )
+ __field(unsigned long, IP )
+ ),
+
+@@ -129,29 +129,29 @@ DECLARE_EVENT_CLASS(random__get_random_b
+ __entry->IP = IP;
+ ),
+
+- TP_printk("nbytes %d caller %pS", __entry->nbytes, (void *)__entry->IP)
++ TP_printk("nbytes %zu caller %pS", __entry->nbytes, (void *)__entry->IP)
+ );
+
+ DEFINE_EVENT(random__get_random_bytes, get_random_bytes,
+- TP_PROTO(int nbytes, unsigned long IP),
++ TP_PROTO(size_t nbytes, unsigned long IP),
+
+ TP_ARGS(nbytes, IP)
+ );
+
+ DEFINE_EVENT(random__get_random_bytes, get_random_bytes_arch,
+- TP_PROTO(int nbytes, unsigned long IP),
++ TP_PROTO(size_t nbytes, unsigned long IP),
+
+ TP_ARGS(nbytes, IP)
+ );
+
+ DECLARE_EVENT_CLASS(random__extract_entropy,
+- TP_PROTO(int nbytes, int entropy_count),
++ TP_PROTO(size_t nbytes, size_t entropy_count),
+
+ TP_ARGS(nbytes, entropy_count),
+
+ TP_STRUCT__entry(
+- __field( int, nbytes )
+- __field( int, entropy_count )
++ __field( size_t, nbytes )
++ __field( size_t, entropy_count )
+ ),
+
+ TP_fast_assign(
+@@ -159,37 +159,34 @@ DECLARE_EVENT_CLASS(random__extract_entr
+ __entry->entropy_count = entropy_count;
+ ),
+
+- TP_printk("input pool: nbytes %d entropy_count %d",
++ TP_printk("input pool: nbytes %zu entropy_count %zu",
+ __entry->nbytes, __entry->entropy_count)
+ );
+
+
+ DEFINE_EVENT(random__extract_entropy, extract_entropy,
+- TP_PROTO(int nbytes, int entropy_count),
++ TP_PROTO(size_t nbytes, size_t entropy_count),
+
+ TP_ARGS(nbytes, entropy_count)
+ );
+
+ TRACE_EVENT(urandom_read,
+- TP_PROTO(int got_bits, int pool_left, int input_left),
++ TP_PROTO(size_t nbytes, size_t entropy_count),
+
+- TP_ARGS(got_bits, pool_left, input_left),
++ TP_ARGS(nbytes, entropy_count),
+
+ TP_STRUCT__entry(
+- __field( int, got_bits )
+- __field( int, pool_left )
+- __field( int, input_left )
++ __field( size_t, nbytes )
++ __field( size_t, entropy_count )
+ ),
+
+ TP_fast_assign(
+- __entry->got_bits = got_bits;
+- __entry->pool_left = pool_left;
+- __entry->input_left = input_left;
++ __entry->nbytes = nbytes;
++ __entry->entropy_count = entropy_count;
+ ),
+
+- TP_printk("got_bits %d nonblocking_pool_entropy_left %d "
+- "input_entropy_left %d", __entry->got_bits,
+- __entry->pool_left, __entry->input_left)
++ TP_printk("reading: nbytes %zu entropy_count %zu",
++ __entry->nbytes, __entry->entropy_count)
+ );
+
+ #endif /* _TRACE_RANDOM_H */
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 30 Dec 2021 15:59:26 +0100
+Subject: random: use IS_ENABLED(CONFIG_NUMA) instead of ifdefs
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 7b87324112df2e1f9b395217361626362dcfb9fb upstream.
+
+Rather than an awkward combination of ifdefs and __maybe_unused, we can
+ensure more source gets parsed, regardless of the configuration, by
+using IS_ENABLED for the CONFIG_NUMA conditional code. This makes things
+cleaner and easier to follow.
+
+I've confirmed that on !CONFIG_NUMA, we don't wind up with excess code
+by accident; the generated object file is the same.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 32 ++++++++++++--------------------
+ 1 file changed, 12 insertions(+), 20 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -761,7 +761,6 @@ static int credit_entropy_bits_safe(stru
+
+ static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
+
+-#ifdef CONFIG_NUMA
+ /*
+ * Hack to deal with crazy userspace progams when they are all trying
+ * to access /dev/urandom in parallel. The programs are almost
+@@ -769,7 +768,6 @@ static DECLARE_WAIT_QUEUE_HEAD(crng_init
+ * their brain damage.
+ */
+ static struct crng_state **crng_node_pool __read_mostly;
+-#endif
+
+ static void invalidate_batched_entropy(void);
+
+@@ -816,7 +814,7 @@ static bool __init crng_init_try_arch_ea
+ return arch_init;
+ }
+
+-static void __maybe_unused crng_initialize_secondary(struct crng_state *crng)
++static void crng_initialize_secondary(struct crng_state *crng)
+ {
+ memcpy(&crng->state[0], "expand 32-byte k", 16);
+ _get_random_bytes(&crng->state[4], sizeof(__u32) * 12);
+@@ -867,7 +865,6 @@ static void crng_finalize_init(struct cr
+ }
+ }
+
+-#ifdef CONFIG_NUMA
+ static void do_numa_crng_init(struct work_struct *work)
+ {
+ int i;
+@@ -894,29 +891,24 @@ static DECLARE_WORK(numa_crng_init_work,
+
+ static void numa_crng_init(void)
+ {
+- schedule_work(&numa_crng_init_work);
++ if (IS_ENABLED(CONFIG_NUMA))
++ schedule_work(&numa_crng_init_work);
+ }
+
+ static struct crng_state *select_crng(void)
+ {
+- struct crng_state **pool;
+- int nid = numa_node_id();
+-
+- /* pairs with cmpxchg_release() in do_numa_crng_init() */
+- pool = READ_ONCE(crng_node_pool);
+- if (pool && pool[nid])
+- return pool[nid];
+-
+- return &primary_crng;
+-}
+-#else
+-static void numa_crng_init(void) {}
++ if (IS_ENABLED(CONFIG_NUMA)) {
++ struct crng_state **pool;
++ int nid = numa_node_id();
++
++ /* pairs with cmpxchg_release() in do_numa_crng_init() */
++ pool = READ_ONCE(crng_node_pool);
++ if (pool && pool[nid])
++ return pool[nid];
++ }
+
+-static struct crng_state *select_crng(void)
+-{
+ return &primary_crng;
+ }
+-#endif
+
+ /*
+ * crng_fast_load() can be called by code in the interrupt service
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 3 Feb 2022 13:28:06 +0100
+Subject: random: use linear min-entropy accumulation crediting
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit c570449094844527577c5c914140222cb1893e3f upstream.
+
+30e37ec516ae ("random: account for entropy loss due to overwrites")
+assumed that adding new entropy to the LFSR pool probabilistically
+cancelled out old entropy there, so entropy was credited asymptotically,
+approximating Shannon entropy of independent sources (rather than a
+stronger min-entropy notion) using 1/8th fractional bits and replacing
+a constant 2-2/√𝑒 term (~0.786938) with 3/4 (0.75) to slightly
+underestimate it. This wasn't superb, but it was perhaps better than
+nothing, so that's what was done. Which entropy specifically was being
+cancelled out and how much precisely each time is hard to tell, though
+as I showed with the attack code in my previous commit, a motivated
+adversary with sufficient information can actually cancel out
+everything.
+
+Since we're no longer using an LFSR for entropy accumulation, this
+probabilistic cancellation is no longer relevant. Rather, we're now
+using a computational hash function as the accumulator and we've
+switched to working in the random oracle model, from which we can now
+revisit the question of min-entropy accumulation, which is done in
+detail in <https://eprint.iacr.org/2019/198>.
+
+Consider a long input bit string that is built by concatenating various
+smaller independent input bit strings. Each one of these inputs has a
+designated min-entropy, which is what we're passing to
+credit_entropy_bits(h). When we pass the concatenation of these to a
+random oracle, it means that an adversary trying to receive back the
+same reply as us would need to become certain about each part of the
+concatenated bit string we passed in, which means becoming certain about
+all of those h values. That means we can estimate the accumulation by
+simply adding up the h values in calls to credit_entropy_bits(h);
+there's no probabilistic cancellation at play like there was said to be
+for the LFSR. Incidentally, this is also what other entropy accumulators
+based on computational hash functions do as well.
+
+So this commit replaces credit_entropy_bits(h) with essentially `total =
+min(POOL_BITS, total + h)`, done with a cmpxchg loop as before.
+
+What if we're wrong and the above is nonsense? It's not, but let's
+assume we don't want the actual _behavior_ of the code to change much.
+Currently that behavior is not extracting from the input pool until it
+has 128 bits of entropy in it. With the old algorithm, we'd hit that
+magic 128 number after roughly 256 calls to credit_entropy_bits(1). So,
+we can retain more or less the old behavior by waiting to extract from
+the input pool until it hits 256 bits of entropy using the new code. For
+people concerned about this change, it means that there's not that much
+practical behavioral change. And for folks actually trying to model
+the behavior rigorously, it means that we have an even higher margin
+against attacks.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 114 ++++++++------------------------------------------
+ 1 file changed, 20 insertions(+), 94 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -286,17 +286,9 @@
+
+ /* #define ADD_INTERRUPT_BENCH */
+
+-enum poolinfo {
++enum {
+ POOL_BITS = BLAKE2S_HASH_SIZE * 8,
+- POOL_BITSHIFT = ilog2(POOL_BITS),
+- POOL_MIN_BITS = POOL_BITS / 2,
+-
+- /* To allow fractional bits to be tracked, the entropy_count field is
+- * denominated in units of 1/8th bits. */
+- POOL_ENTROPY_SHIFT = 3,
+-#define POOL_ENTROPY_BITS() (input_pool.entropy_count >> POOL_ENTROPY_SHIFT)
+- POOL_FRACBITS = POOL_BITS << POOL_ENTROPY_SHIFT,
+- POOL_MIN_FRACBITS = POOL_MIN_BITS << POOL_ENTROPY_SHIFT
++ POOL_MIN_BITS = POOL_BITS /* No point in settling for less. */
+ };
+
+ /*
+@@ -309,7 +301,7 @@ static struct fasync_struct *fasync;
+ * should wake up processes which are selecting or polling on write
+ * access to /dev/random.
+ */
+-static int random_write_wakeup_bits = POOL_BITS * 3 / 4;
++static int random_write_wakeup_bits = POOL_MIN_BITS;
+
+ static DEFINE_SPINLOCK(random_ready_list_lock);
+ static LIST_HEAD(random_ready_list);
+@@ -469,66 +461,18 @@ static void process_random_ready_list(vo
+ static void credit_entropy_bits(int nbits)
+ {
+ int entropy_count, orig;
+- int nfrac = nbits << POOL_ENTROPY_SHIFT;
+-
+- /* Ensure that the multiplication can avoid being 64 bits wide. */
+- BUILD_BUG_ON(2 * (POOL_ENTROPY_SHIFT + POOL_BITSHIFT) > 31);
+
+ if (!nbits)
+ return;
+
+-retry:
+- entropy_count = orig = READ_ONCE(input_pool.entropy_count);
+- if (nfrac < 0) {
+- /* Debit */
+- entropy_count += nfrac;
+- } else {
+- /*
+- * Credit: we have to account for the possibility of
+- * overwriting already present entropy. Even in the
+- * ideal case of pure Shannon entropy, new contributions
+- * approach the full value asymptotically:
+- *
+- * entropy <- entropy + (pool_size - entropy) *
+- * (1 - exp(-add_entropy/pool_size))
+- *
+- * For add_entropy <= pool_size/2 then
+- * (1 - exp(-add_entropy/pool_size)) >=
+- * (add_entropy/pool_size)*0.7869...
+- * so we can approximate the exponential with
+- * 3/4*add_entropy/pool_size and still be on the
+- * safe side by adding at most pool_size/2 at a time.
+- *
+- * The use of pool_size-2 in the while statement is to
+- * prevent rounding artifacts from making the loop
+- * arbitrarily long; this limits the loop to log2(pool_size)*2
+- * turns no matter how large nbits is.
+- */
+- int pnfrac = nfrac;
+- const int s = POOL_BITSHIFT + POOL_ENTROPY_SHIFT + 2;
+- /* The +2 corresponds to the /4 in the denominator */
+-
+- do {
+- unsigned int anfrac = min(pnfrac, POOL_FRACBITS / 2);
+- unsigned int add =
+- ((POOL_FRACBITS - entropy_count) * anfrac * 3) >> s;
+-
+- entropy_count += add;
+- pnfrac -= anfrac;
+- } while (unlikely(entropy_count < POOL_FRACBITS - 2 && pnfrac));
+- }
+-
+- if (WARN_ON(entropy_count < 0)) {
+- pr_warn("negative entropy/overflow: count %d\n", entropy_count);
+- entropy_count = 0;
+- } else if (entropy_count > POOL_FRACBITS)
+- entropy_count = POOL_FRACBITS;
+- if (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig)
+- goto retry;
++ do {
++ orig = READ_ONCE(input_pool.entropy_count);
++ entropy_count = min(POOL_BITS, orig + nbits);
++ } while (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig);
+
+- trace_credit_entropy_bits(nbits, entropy_count >> POOL_ENTROPY_SHIFT, _RET_IP_);
++ trace_credit_entropy_bits(nbits, entropy_count, _RET_IP_);
+
+- if (crng_init < 2 && entropy_count >= POOL_MIN_FRACBITS)
++ if (crng_init < 2 && entropy_count >= POOL_MIN_BITS)
+ crng_reseed(&primary_crng, true);
+ }
+
+@@ -790,7 +734,7 @@ static void crng_reseed(struct crng_stat
+ int entropy_count;
+ do {
+ entropy_count = READ_ONCE(input_pool.entropy_count);
+- if (entropy_count < POOL_MIN_FRACBITS)
++ if (entropy_count < POOL_MIN_BITS)
+ return;
+ } while (cmpxchg(&input_pool.entropy_count, entropy_count, 0) != entropy_count);
+ extract_entropy(buf.key, sizeof(buf.key));
+@@ -1013,7 +957,7 @@ void add_input_randomness(unsigned int t
+ last_value = value;
+ add_timer_randomness(&input_timer_state,
+ (type << 4) ^ code ^ (code >> 4) ^ value);
+- trace_add_input_randomness(POOL_ENTROPY_BITS());
++ trace_add_input_randomness(input_pool.entropy_count);
+ }
+ EXPORT_SYMBOL_GPL(add_input_randomness);
+
+@@ -1111,7 +1055,7 @@ void add_disk_randomness(struct gendisk
+ return;
+ /* first major is 1, so we get >= 0x200 here */
+ add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
+- trace_add_disk_randomness(disk_devt(disk), POOL_ENTROPY_BITS());
++ trace_add_disk_randomness(disk_devt(disk), input_pool.entropy_count);
+ }
+ EXPORT_SYMBOL_GPL(add_disk_randomness);
+ #endif
+@@ -1136,7 +1080,7 @@ static void extract_entropy(void *buf, s
+ } block;
+ size_t i;
+
+- trace_extract_entropy(nbytes, POOL_ENTROPY_BITS());
++ trace_extract_entropy(nbytes, input_pool.entropy_count);
+
+ for (i = 0; i < ARRAY_SIZE(block.rdrand); ++i) {
+ if (!arch_get_random_long(&block.rdrand[i]))
+@@ -1485,9 +1429,9 @@ static ssize_t urandom_read_nowarn(struc
+ {
+ int ret;
+
+- nbytes = min_t(size_t, nbytes, INT_MAX >> (POOL_ENTROPY_SHIFT + 3));
++ nbytes = min_t(size_t, nbytes, INT_MAX >> 6);
+ ret = extract_crng_user(buf, nbytes);
+- trace_urandom_read(8 * nbytes, 0, POOL_ENTROPY_BITS());
++ trace_urandom_read(8 * nbytes, 0, input_pool.entropy_count);
+ return ret;
+ }
+
+@@ -1526,7 +1470,7 @@ static unsigned int random_poll(struct f
+ mask = 0;
+ if (crng_ready())
+ mask |= POLLIN | POLLRDNORM;
+- if (POOL_ENTROPY_BITS() < random_write_wakeup_bits)
++ if (input_pool.entropy_count < random_write_wakeup_bits)
+ mask |= POLLOUT | POLLWRNORM;
+ return mask;
+ }
+@@ -1581,8 +1525,7 @@ static long random_ioctl(struct file *f,
+ switch (cmd) {
+ case RNDGETENTCNT:
+ /* inherently racy, no point locking */
+- ent_count = POOL_ENTROPY_BITS();
+- if (put_user(ent_count, p))
++ if (put_user(input_pool.entropy_count, p))
+ return -EFAULT;
+ return 0;
+ case RNDADDTOENTCNT:
+@@ -1728,23 +1671,6 @@ static int proc_do_uuid(struct ctl_table
+ return proc_dostring(&fake_table, write, buffer, lenp, ppos);
+ }
+
+-/*
+- * Return entropy available scaled to integral bits
+- */
+-static int proc_do_entropy(struct ctl_table *table, int write,
+- void __user *buffer, size_t *lenp, loff_t *ppos)
+-{
+- struct ctl_table fake_table;
+- int entropy_count;
+-
+- entropy_count = *(int *)table->data >> POOL_ENTROPY_SHIFT;
+-
+- fake_table.data = &entropy_count;
+- fake_table.maxlen = sizeof(entropy_count);
+-
+- return proc_dointvec(&fake_table, write, buffer, lenp, ppos);
+-}
+-
+ static int sysctl_poolsize = POOL_BITS;
+ extern struct ctl_table random_table[];
+ struct ctl_table random_table[] = {
+@@ -1757,10 +1683,10 @@ struct ctl_table random_table[] = {
+ },
+ {
+ .procname = "entropy_avail",
++ .data = &input_pool.entropy_count,
+ .maxlen = sizeof(int),
+ .mode = 0444,
+- .proc_handler = proc_do_entropy,
+- .data = &input_pool.entropy_count,
++ .proc_handler = proc_dointvec,
+ },
+ {
+ .procname = "write_wakeup_threshold",
+@@ -1956,7 +1882,7 @@ void add_hwgenerator_randomness(const ch
+ */
+ wait_event_interruptible_timeout(random_write_wait,
+ !system_wq || kthread_should_stop() ||
+- POOL_ENTROPY_BITS() <= random_write_wakeup_bits,
++ input_pool.entropy_count <= random_write_wakeup_bits,
+ CRNG_RESEED_INTERVAL);
+ mix_pool_bytes(buffer, count);
+ credit_entropy_bits(entropy);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 10 May 2022 15:20:42 +0200
+Subject: random: use proper jiffies comparison macro
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 8a5b8a4a4ceb353b4dd5bafd09e2b15751bcdb51 upstream.
+
+This expands to exactly the same code that it replaces, but makes things
+consistent by using the same macro for jiffy comparisons throughout.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -324,7 +324,7 @@ static bool crng_has_old_seed(void)
+ interval = max_t(unsigned int, CRNG_RESEED_START_INTERVAL,
+ (unsigned int)uptime / 2 * HZ);
+ }
+- return time_after(jiffies, READ_ONCE(base_crng.birth) + interval);
++ return time_is_before_jiffies(READ_ONCE(base_crng.birth) + interval);
+ }
+
+ /*
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 13 May 2022 12:32:23 +0200
+Subject: random: use proper return types on get_random_{int,long}_wait()
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 7c3a8a1db5e03d02cc0abb3357a84b8b326dfac3 upstream.
+
+Before these were returning signed values, but the API is intended to be
+used with unsigned values.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 195 +++++++++++++++++++++++--------------------------
+ include/linux/random.h | 24 +++---
+ 2 files changed, 107 insertions(+), 112 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -210,7 +210,7 @@ static void _warn_unseeded_randomness(co
+ *
+ * There are a few exported interfaces for use by other drivers:
+ *
+- * void get_random_bytes(void *buf, size_t nbytes)
++ * void get_random_bytes(void *buf, size_t len)
+ * u32 get_random_u32()
+ * u64 get_random_u64()
+ * unsigned int get_random_int()
+@@ -249,7 +249,7 @@ static DEFINE_PER_CPU(struct crng, crngs
+ };
+
+ /* Used by crng_reseed() and crng_make_state() to extract a new seed from the input pool. */
+-static void extract_entropy(void *buf, size_t nbytes);
++static void extract_entropy(void *buf, size_t len);
+
+ /* This extracts a new crng key from the input pool. */
+ static void crng_reseed(void)
+@@ -403,24 +403,24 @@ static void crng_make_state(u32 chacha_s
+ local_irq_restore(flags);
+ }
+
+-static void _get_random_bytes(void *buf, size_t nbytes)
++static void _get_random_bytes(void *buf, size_t len)
+ {
+ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)];
+ u8 tmp[CHACHA20_BLOCK_SIZE];
+- size_t len;
++ size_t first_block_len;
+
+- if (!nbytes)
++ if (!len)
+ return;
+
+- len = min_t(size_t, 32, nbytes);
+- crng_make_state(chacha_state, buf, len);
+- nbytes -= len;
+- buf += len;
++ first_block_len = min_t(size_t, 32, len);
++ crng_make_state(chacha_state, buf, first_block_len);
++ len -= first_block_len;
++ buf += first_block_len;
+
+- while (nbytes) {
+- if (nbytes < CHACHA20_BLOCK_SIZE) {
++ while (len) {
++ if (len < CHACHA20_BLOCK_SIZE) {
+ chacha20_block(chacha_state, tmp);
+- memcpy(buf, tmp, nbytes);
++ memcpy(buf, tmp, len);
+ memzero_explicit(tmp, sizeof(tmp));
+ break;
+ }
+@@ -428,7 +428,7 @@ static void _get_random_bytes(void *buf,
+ chacha20_block(chacha_state, buf);
+ if (unlikely(chacha_state[12] == 0))
+ ++chacha_state[13];
+- nbytes -= CHACHA20_BLOCK_SIZE;
++ len -= CHACHA20_BLOCK_SIZE;
+ buf += CHACHA20_BLOCK_SIZE;
+ }
+
+@@ -445,20 +445,20 @@ static void _get_random_bytes(void *buf,
+ * wait_for_random_bytes() should be called and return 0 at least once
+ * at any point prior.
+ */
+-void get_random_bytes(void *buf, size_t nbytes)
++void get_random_bytes(void *buf, size_t len)
+ {
+ warn_unseeded_randomness();
+- _get_random_bytes(buf, nbytes);
++ _get_random_bytes(buf, len);
+ }
+ EXPORT_SYMBOL(get_random_bytes);
+
+-static ssize_t get_random_bytes_user(void __user *buf, size_t nbytes)
++static ssize_t get_random_bytes_user(void __user *ubuf, size_t len)
+ {
+- size_t len, left, ret = 0;
++ size_t block_len, left, ret = 0;
+ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)];
+ u8 output[CHACHA20_BLOCK_SIZE];
+
+- if (!nbytes)
++ if (!len)
+ return 0;
+
+ /*
+@@ -472,8 +472,8 @@ static ssize_t get_random_bytes_user(voi
+ * use chacha_state after, so we can simply return those bytes to
+ * the user directly.
+ */
+- if (nbytes <= CHACHA20_KEY_SIZE) {
+- ret = nbytes - copy_to_user(buf, &chacha_state[4], nbytes);
++ if (len <= CHACHA20_KEY_SIZE) {
++ ret = len - copy_to_user(ubuf, &chacha_state[4], len);
+ goto out_zero_chacha;
+ }
+
+@@ -482,17 +482,17 @@ static ssize_t get_random_bytes_user(voi
+ if (unlikely(chacha_state[12] == 0))
+ ++chacha_state[13];
+
+- len = min_t(size_t, nbytes, CHACHA20_BLOCK_SIZE);
+- left = copy_to_user(buf, output, len);
++ block_len = min_t(size_t, len, CHACHA20_BLOCK_SIZE);
++ left = copy_to_user(ubuf, output, block_len);
+ if (left) {
+- ret += len - left;
++ ret += block_len - left;
+ break;
+ }
+
+- buf += len;
+- ret += len;
+- nbytes -= len;
+- if (!nbytes)
++ ubuf += block_len;
++ ret += block_len;
++ len -= block_len;
++ if (!len)
+ break;
+
+ BUILD_BUG_ON(PAGE_SIZE % CHACHA20_BLOCK_SIZE != 0);
+@@ -663,24 +663,24 @@ unsigned long randomize_page(unsigned lo
+ * use. Use get_random_bytes() instead. It returns the number of
+ * bytes filled in.
+ */
+-size_t __must_check get_random_bytes_arch(void *buf, size_t nbytes)
++size_t __must_check get_random_bytes_arch(void *buf, size_t len)
+ {
+- size_t left = nbytes;
++ size_t left = len;
+ u8 *p = buf;
+
+ while (left) {
+ unsigned long v;
+- size_t chunk = min_t(size_t, left, sizeof(unsigned long));
++ size_t block_len = min_t(size_t, left, sizeof(unsigned long));
+
+ if (!arch_get_random_long(&v))
+ break;
+
+- memcpy(p, &v, chunk);
+- p += chunk;
+- left -= chunk;
++ memcpy(p, &v, block_len);
++ p += block_len;
++ left -= block_len;
+ }
+
+- return nbytes - left;
++ return len - left;
+ }
+ EXPORT_SYMBOL(get_random_bytes_arch);
+
+@@ -691,15 +691,15 @@ EXPORT_SYMBOL(get_random_bytes_arch);
+ *
+ * Callers may add entropy via:
+ *
+- * static void mix_pool_bytes(const void *in, size_t nbytes)
++ * static void mix_pool_bytes(const void *buf, size_t len)
+ *
+ * After which, if added entropy should be credited:
+ *
+- * static void credit_init_bits(size_t nbits)
++ * static void credit_init_bits(size_t bits)
+ *
+ * Finally, extract entropy via:
+ *
+- * static void extract_entropy(void *buf, size_t nbytes)
++ * static void extract_entropy(void *buf, size_t len)
+ *
+ **********************************************************************/
+
+@@ -721,9 +721,9 @@ static struct {
+ .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
+ };
+
+-static void _mix_pool_bytes(const void *in, size_t nbytes)
++static void _mix_pool_bytes(const void *buf, size_t len)
+ {
+- blake2s_update(&input_pool.hash, in, nbytes);
++ blake2s_update(&input_pool.hash, buf, len);
+ }
+
+ /*
+@@ -731,12 +731,12 @@ static void _mix_pool_bytes(const void *
+ * update the initialization bit counter; the caller should call
+ * credit_init_bits if this is appropriate.
+ */
+-static void mix_pool_bytes(const void *in, size_t nbytes)
++static void mix_pool_bytes(const void *buf, size_t len)
+ {
+ unsigned long flags;
+
+ spin_lock_irqsave(&input_pool.lock, flags);
+- _mix_pool_bytes(in, nbytes);
++ _mix_pool_bytes(buf, len);
+ spin_unlock_irqrestore(&input_pool.lock, flags);
+ }
+
+@@ -744,7 +744,7 @@ static void mix_pool_bytes(const void *i
+ * This is an HKDF-like construction for using the hashed collected entropy
+ * as a PRF key, that's then expanded block-by-block.
+ */
+-static void extract_entropy(void *buf, size_t nbytes)
++static void extract_entropy(void *buf, size_t len)
+ {
+ unsigned long flags;
+ u8 seed[BLAKE2S_HASH_SIZE], next_key[BLAKE2S_HASH_SIZE];
+@@ -773,12 +773,12 @@ static void extract_entropy(void *buf, s
+ spin_unlock_irqrestore(&input_pool.lock, flags);
+ memzero_explicit(next_key, sizeof(next_key));
+
+- while (nbytes) {
+- i = min_t(size_t, nbytes, BLAKE2S_HASH_SIZE);
++ while (len) {
++ i = min_t(size_t, len, BLAKE2S_HASH_SIZE);
+ /* output = HASHPRF(seed, RDSEED || ++counter) */
+ ++block.counter;
+ blake2s(buf, (u8 *)&block, seed, i, sizeof(block), sizeof(seed));
+- nbytes -= i;
++ len -= i;
+ buf += i;
+ }
+
+@@ -786,16 +786,16 @@ static void extract_entropy(void *buf, s
+ memzero_explicit(&block, sizeof(block));
+ }
+
+-static void credit_init_bits(size_t nbits)
++static void credit_init_bits(size_t bits)
+ {
+ static struct execute_work set_ready;
+ unsigned int new, orig, add;
+ unsigned long flags;
+
+- if (crng_ready() || !nbits)
++ if (crng_ready() || !bits)
+ return;
+
+- add = min_t(size_t, nbits, POOL_BITS);
++ add = min_t(size_t, bits, POOL_BITS);
+
+ do {
+ orig = READ_ONCE(input_pool.init_bits);
+@@ -831,13 +831,11 @@ static void credit_init_bits(size_t nbit
+ * The following exported functions are used for pushing entropy into
+ * the above entropy accumulation routines:
+ *
+- * void add_device_randomness(const void *buf, size_t size);
+- * void add_hwgenerator_randomness(const void *buffer, size_t count,
+- * size_t entropy);
+- * void add_bootloader_randomness(const void *buf, size_t size);
++ * void add_device_randomness(const void *buf, size_t len);
++ * void add_hwgenerator_randomness(const void *buf, size_t len, size_t entropy);
++ * void add_bootloader_randomness(const void *buf, size_t len);
+ * void add_interrupt_randomness(int irq);
+- * void add_input_randomness(unsigned int type, unsigned int code,
+- * unsigned int value);
++ * void add_input_randomness(unsigned int type, unsigned int code, unsigned int value);
+ * void add_disk_randomness(struct gendisk *disk);
+ *
+ * add_device_randomness() adds data to the input pool that
+@@ -901,7 +899,7 @@ int __init random_init(const char *comma
+ {
+ ktime_t now = ktime_get_real();
+ unsigned int i, arch_bytes;
+- unsigned long rv;
++ unsigned long entropy;
+
+ #if defined(LATENT_ENTROPY_PLUGIN)
+ static const u8 compiletime_seed[BLAKE2S_BLOCK_SIZE] __initconst __latent_entropy;
+@@ -909,13 +907,13 @@ int __init random_init(const char *comma
+ #endif
+
+ for (i = 0, arch_bytes = BLAKE2S_BLOCK_SIZE;
+- i < BLAKE2S_BLOCK_SIZE; i += sizeof(rv)) {
+- if (!arch_get_random_seed_long_early(&rv) &&
+- !arch_get_random_long_early(&rv)) {
+- rv = random_get_entropy();
+- arch_bytes -= sizeof(rv);
++ i < BLAKE2S_BLOCK_SIZE; i += sizeof(entropy)) {
++ if (!arch_get_random_seed_long_early(&entropy) &&
++ !arch_get_random_long_early(&entropy)) {
++ entropy = random_get_entropy();
++ arch_bytes -= sizeof(entropy);
+ }
+- _mix_pool_bytes(&rv, sizeof(rv));
++ _mix_pool_bytes(&entropy, sizeof(entropy));
+ }
+ _mix_pool_bytes(&now, sizeof(now));
+ _mix_pool_bytes(utsname(), sizeof(*(utsname())));
+@@ -938,14 +936,14 @@ int __init random_init(const char *comma
+ * the entropy pool having similar initial state across largely
+ * identical devices.
+ */
+-void add_device_randomness(const void *buf, size_t size)
++void add_device_randomness(const void *buf, size_t len)
+ {
+ unsigned long entropy = random_get_entropy();
+ unsigned long flags;
+
+ spin_lock_irqsave(&input_pool.lock, flags);
+ _mix_pool_bytes(&entropy, sizeof(entropy));
+- _mix_pool_bytes(buf, size);
++ _mix_pool_bytes(buf, len);
+ spin_unlock_irqrestore(&input_pool.lock, flags);
+ }
+ EXPORT_SYMBOL(add_device_randomness);
+@@ -955,10 +953,9 @@ EXPORT_SYMBOL(add_device_randomness);
+ * Those devices may produce endless random bits and will be throttled
+ * when our pool is full.
+ */
+-void add_hwgenerator_randomness(const void *buffer, size_t count,
+- size_t entropy)
++void add_hwgenerator_randomness(const void *buf, size_t len, size_t entropy)
+ {
+- mix_pool_bytes(buffer, count);
++ mix_pool_bytes(buf, len);
+ credit_init_bits(entropy);
+
+ /*
+@@ -974,11 +971,11 @@ EXPORT_SYMBOL_GPL(add_hwgenerator_random
+ * Handle random seed passed by bootloader, and credit it if
+ * CONFIG_RANDOM_TRUST_BOOTLOADER is set.
+ */
+-void add_bootloader_randomness(const void *buf, size_t size)
++void add_bootloader_randomness(const void *buf, size_t len)
+ {
+- mix_pool_bytes(buf, size);
++ mix_pool_bytes(buf, len);
+ if (trust_bootloader)
+- credit_init_bits(size * 8);
++ credit_init_bits(len * 8);
+ }
+ EXPORT_SYMBOL_GPL(add_bootloader_randomness);
+
+@@ -1178,8 +1175,7 @@ static void add_timer_randomness(struct
+ credit_init_bits(bits);
+ }
+
+-void add_input_randomness(unsigned int type, unsigned int code,
+- unsigned int value)
++void add_input_randomness(unsigned int type, unsigned int code, unsigned int value)
+ {
+ static unsigned char last_value;
+ static struct timer_rand_state input_timer_state = { INITIAL_JIFFIES };
+@@ -1298,8 +1294,7 @@ static void try_to_generate_entropy(void
+ *
+ **********************************************************************/
+
+-SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, unsigned int,
+- flags)
++SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags)
+ {
+ if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE))
+ return -EINVAL;
+@@ -1311,8 +1306,8 @@ SYSCALL_DEFINE3(getrandom, char __user *
+ if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM))
+ return -EINVAL;
+
+- if (count > INT_MAX)
+- count = INT_MAX;
++ if (len > INT_MAX)
++ len = INT_MAX;
+
+ if (!crng_ready() && !(flags & GRND_INSECURE)) {
+ int ret;
+@@ -1323,7 +1318,7 @@ SYSCALL_DEFINE3(getrandom, char __user *
+ if (unlikely(ret))
+ return ret;
+ }
+- return get_random_bytes_user(buf, count);
++ return get_random_bytes_user(ubuf, len);
+ }
+
+ static unsigned int random_poll(struct file *file, poll_table *wait)
+@@ -1332,21 +1327,21 @@ static unsigned int random_poll(struct f
+ return crng_ready() ? POLLIN | POLLRDNORM : POLLOUT | POLLWRNORM;
+ }
+
+-static int write_pool(const char __user *ubuf, size_t count)
++static int write_pool(const char __user *ubuf, size_t len)
+ {
+- size_t len;
++ size_t block_len;
+ int ret = 0;
+ u8 block[BLAKE2S_BLOCK_SIZE];
+
+- while (count) {
+- len = min(count, sizeof(block));
+- if (copy_from_user(block, ubuf, len)) {
++ while (len) {
++ block_len = min(len, sizeof(block));
++ if (copy_from_user(block, ubuf, block_len)) {
+ ret = -EFAULT;
+ goto out;
+ }
+- count -= len;
+- ubuf += len;
+- mix_pool_bytes(block, len);
++ len -= block_len;
++ ubuf += block_len;
++ mix_pool_bytes(block, block_len);
+ cond_resched();
+ }
+
+@@ -1355,20 +1350,20 @@ out:
+ return ret;
+ }
+
+-static ssize_t random_write(struct file *file, const char __user *buffer,
+- size_t count, loff_t *ppos)
++static ssize_t random_write(struct file *file, const char __user *ubuf,
++ size_t len, loff_t *ppos)
+ {
+ int ret;
+
+- ret = write_pool(buffer, count);
++ ret = write_pool(ubuf, len);
+ if (ret)
+ return ret;
+
+- return (ssize_t)count;
++ return (ssize_t)len;
+ }
+
+-static ssize_t urandom_read(struct file *file, char __user *buf, size_t nbytes,
+- loff_t *ppos)
++static ssize_t urandom_read(struct file *file, char __user *ubuf,
++ size_t len, loff_t *ppos)
+ {
+ static int maxwarn = 10;
+
+@@ -1378,22 +1373,22 @@ static ssize_t urandom_read(struct file
+ else if (ratelimit_disable || __ratelimit(&urandom_warning)) {
+ --maxwarn;
+ pr_notice("%s: uninitialized urandom read (%zd bytes read)\n",
+- current->comm, nbytes);
++ current->comm, len);
+ }
+ }
+
+- return get_random_bytes_user(buf, nbytes);
++ return get_random_bytes_user(ubuf, len);
+ }
+
+-static ssize_t random_read(struct file *file, char __user *buf, size_t nbytes,
+- loff_t *ppos)
++static ssize_t random_read(struct file *file, char __user *ubuf,
++ size_t len, loff_t *ppos)
+ {
+ int ret;
+
+ ret = wait_for_random_bytes();
+ if (ret != 0)
+ return ret;
+- return get_random_bytes_user(buf, nbytes);
++ return get_random_bytes_user(ubuf, len);
+ }
+
+ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
+@@ -1516,8 +1511,8 @@ static u8 sysctl_bootid[UUID_SIZE];
+ * UUID. The difference is in whether table->data is NULL; if it is,
+ * then a new UUID is generated and returned to the user.
+ */
+-static int proc_do_uuid(struct ctl_table *table, int write,
+- void __user *buffer, size_t *lenp, loff_t *ppos)
++static int proc_do_uuid(struct ctl_table *table, int write, void __user *buf,
++ size_t *lenp, loff_t *ppos)
+ {
+ u8 tmp_uuid[UUID_SIZE], *uuid;
+ char uuid_string[UUID_STRING_LEN + 1];
+@@ -1543,14 +1538,14 @@ static int proc_do_uuid(struct ctl_table
+ }
+
+ snprintf(uuid_string, sizeof(uuid_string), "%pU", uuid);
+- return proc_dostring(&fake_table, 0, buffer, lenp, ppos);
++ return proc_dostring(&fake_table, 0, buf, lenp, ppos);
+ }
+
+ /* The same as proc_dointvec, but writes don't change anything. */
+-static int proc_do_rointvec(struct ctl_table *table, int write, void __user *buffer,
++static int proc_do_rointvec(struct ctl_table *table, int write, void __user *buf,
+ size_t *lenp, loff_t *ppos)
+ {
+- return write ? 0 : proc_dointvec(table, 0, buffer, lenp, ppos);
++ return write ? 0 : proc_dointvec(table, 0, buf, lenp, ppos);
+ }
+
+ extern struct ctl_table random_table[];
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -12,12 +12,12 @@
+
+ struct notifier_block;
+
+-void add_device_randomness(const void *, size_t);
+-void add_bootloader_randomness(const void *, size_t);
++void add_device_randomness(const void *buf, size_t len);
++void add_bootloader_randomness(const void *buf, size_t len);
+ void add_input_randomness(unsigned int type, unsigned int code,
+ unsigned int value) __latent_entropy;
+ void add_interrupt_randomness(int irq) __latent_entropy;
+-void add_hwgenerator_randomness(const void *buffer, size_t count, size_t entropy);
++void add_hwgenerator_randomness(const void *buf, size_t len, size_t entropy);
+
+ #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
+ static inline void add_latent_entropy(void)
+@@ -28,8 +28,8 @@ static inline void add_latent_entropy(vo
+ static inline void add_latent_entropy(void) { }
+ #endif
+
+-void get_random_bytes(void *buf, size_t nbytes);
+-size_t __must_check get_random_bytes_arch(void *buf, size_t nbytes);
++void get_random_bytes(void *buf, size_t len);
++size_t __must_check get_random_bytes_arch(void *buf, size_t len);
+ u32 get_random_u32(void);
+ u64 get_random_u64(void);
+ static inline unsigned int get_random_int(void)
+@@ -81,18 +81,18 @@ static inline int get_random_bytes_wait(
+ return ret;
+ }
+
+-#define declare_get_random_var_wait(var) \
+- static inline int get_random_ ## var ## _wait(var *out) { \
++#define declare_get_random_var_wait(name, ret_type) \
++ static inline int get_random_ ## name ## _wait(ret_type *out) { \
+ int ret = wait_for_random_bytes(); \
+ if (unlikely(ret)) \
+ return ret; \
+- *out = get_random_ ## var(); \
++ *out = get_random_ ## name(); \
+ return 0; \
+ }
+-declare_get_random_var_wait(u32)
+-declare_get_random_var_wait(u64)
+-declare_get_random_var_wait(int)
+-declare_get_random_var_wait(long)
++declare_get_random_var_wait(u32, u32)
++declare_get_random_var_wait(u64, u32)
++declare_get_random_var_wait(int, unsigned int)
++declare_get_random_var_wait(long, unsigned long)
+ #undef declare_get_random_var
+
+ /*
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 8 Feb 2022 12:18:33 +0100
+Subject: random: use RDSEED instead of RDRAND in entropy extraction
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 28f425e573e906a4c15f8392cc2b1561ef448595 upstream.
+
+When /dev/random was directly connected with entropy extraction, without
+any expansion stage, extract_buf() was called for every 10 bytes of data
+read from /dev/random. For that reason, RDRAND was used rather than
+RDSEED. At the same time, crng_reseed() was still only called every 5
+minutes, so there RDSEED made sense.
+
+Those olden days were also a time when the entropy collector did not use
+a cryptographic hash function, which meant most bets were off in terms
+of real preimage resistance. For that reason too it didn't matter
+_that_ much whether RDSEED was mixed in before or after entropy
+extraction; both choices were sort of bad.
+
+But now we have a cryptographic hash function at work, and with that we
+get real preimage resistance. We also now only call extract_entropy()
+every 5 minutes, rather than every 10 bytes. This allows us to do two
+important things.
+
+First, we can switch to using RDSEED in extract_entropy(), as Dominik
+suggested. Second, we can ensure that RDSEED input always goes into the
+cryptographic hash function with other things before being used
+directly. This eliminates a category of attacks in which the CPU knows
+the current state of the crng and knows that we're going to xor RDSEED
+into it, and so it computes a malicious RDSEED. By going through our
+hash function, it would require the CPU to compute a preimage on the
+fly, which isn't going to happen.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Suggested-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 246 ++++++++++++--------------------------------------
+ 1 file changed, 62 insertions(+), 184 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -323,14 +323,11 @@ static struct crng_state primary_crng =
+ * its value (from 0->1->2).
+ */
+ static int crng_init = 0;
+-static bool crng_need_final_init = false;
+ #define crng_ready() (likely(crng_init > 1))
+ static int crng_init_cnt = 0;
+-static unsigned long crng_global_init_time = 0;
+ #define CRNG_INIT_CNT_THRESH (2 * CHACHA20_KEY_SIZE)
+-static void _extract_crng(struct crng_state *crng, u8 out[CHACHA20_BLOCK_SIZE]);
+-static void _crng_backtrack_protect(struct crng_state *crng,
+- u8 tmp[CHACHA20_BLOCK_SIZE], int used);
++static void extract_crng(u8 out[CHACHA20_BLOCK_SIZE]);
++static void crng_backtrack_protect(u8 tmp[CHACHA20_BLOCK_SIZE], int used);
+ static void process_random_ready_list(void);
+ static void _get_random_bytes(void *buf, int nbytes);
+
+@@ -365,7 +362,7 @@ static struct {
+
+ static void extract_entropy(void *buf, size_t nbytes);
+
+-static void crng_reseed(struct crng_state *crng);
++static void crng_reseed(void);
+
+ /*
+ * This function adds bytes into the entropy "pool". It does not
+@@ -464,7 +461,7 @@ static void credit_entropy_bits(int nbit
+ trace_credit_entropy_bits(nbits, entropy_count, _RET_IP_);
+
+ if (crng_init < 2 && entropy_count >= POOL_MIN_BITS)
+- crng_reseed(&primary_crng);
++ crng_reseed();
+ }
+
+ /*********************************************************************
+@@ -477,14 +474,6 @@ static void credit_entropy_bits(int nbit
+
+ static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
+
+-/*
+- * Hack to deal with crazy userspace progams when they are all trying
+- * to access /dev/urandom in parallel. The programs are almost
+- * certainly doing something terribly wrong, but we'll work around
+- * their brain damage.
+- */
+-static struct crng_state **crng_node_pool __read_mostly;
+-
+ static void invalidate_batched_entropy(void);
+
+ static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
+@@ -494,24 +483,6 @@ static int __init parse_trust_cpu(char *
+ }
+ early_param("random.trust_cpu", parse_trust_cpu);
+
+-static bool crng_init_try_arch(struct crng_state *crng)
+-{
+- int i;
+- bool arch_init = true;
+- unsigned long rv;
+-
+- for (i = 4; i < 16; i++) {
+- if (!arch_get_random_seed_long(&rv) &&
+- !arch_get_random_long(&rv)) {
+- rv = random_get_entropy();
+- arch_init = false;
+- }
+- crng->state[i] ^= rv;
+- }
+-
+- return arch_init;
+-}
+-
+ static bool __init crng_init_try_arch_early(void)
+ {
+ int i;
+@@ -530,100 +501,17 @@ static bool __init crng_init_try_arch_ea
+ return arch_init;
+ }
+
+-static void crng_initialize_secondary(struct crng_state *crng)
+-{
+- chacha_init_consts(crng->state);
+- _get_random_bytes(&crng->state[4], sizeof(u32) * 12);
+- crng_init_try_arch(crng);
+- crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+-}
+-
+-static void __init crng_initialize_primary(void)
++static void __init crng_initialize(void)
+ {
+ extract_entropy(&primary_crng.state[4], sizeof(u32) * 12);
+ if (crng_init_try_arch_early() && trust_cpu && crng_init < 2) {
+ invalidate_batched_entropy();
+- numa_crng_init();
+ crng_init = 2;
+ pr_notice("crng init done (trusting CPU's manufacturer)\n");
+ }
+ primary_crng.init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
+ }
+
+-static void crng_finalize_init(void)
+-{
+- if (!system_wq) {
+- /* We can't call numa_crng_init until we have workqueues,
+- * so mark this for processing later. */
+- crng_need_final_init = true;
+- return;
+- }
+-
+- invalidate_batched_entropy();
+- numa_crng_init();
+- crng_init = 2;
+- crng_need_final_init = false;
+- process_random_ready_list();
+- wake_up_interruptible(&crng_init_wait);
+- kill_fasync(&fasync, SIGIO, POLL_IN);
+- pr_notice("crng init done\n");
+- if (unseeded_warning.missed) {
+- pr_notice("%d get_random_xx warning(s) missed due to ratelimiting\n",
+- unseeded_warning.missed);
+- unseeded_warning.missed = 0;
+- }
+- if (urandom_warning.missed) {
+- pr_notice("%d urandom warning(s) missed due to ratelimiting\n",
+- urandom_warning.missed);
+- urandom_warning.missed = 0;
+- }
+-}
+-
+-static void do_numa_crng_init(struct work_struct *work)
+-{
+- int i;
+- struct crng_state *crng;
+- struct crng_state **pool;
+-
+- pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL | __GFP_NOFAIL);
+- for_each_online_node(i) {
+- crng = kmalloc_node(sizeof(struct crng_state),
+- GFP_KERNEL | __GFP_NOFAIL, i);
+- spin_lock_init(&crng->lock);
+- crng_initialize_secondary(crng);
+- pool[i] = crng;
+- }
+- /* pairs with READ_ONCE() in select_crng() */
+- if (cmpxchg_release(&crng_node_pool, NULL, pool) != NULL) {
+- for_each_node(i)
+- kfree(pool[i]);
+- kfree(pool);
+- }
+-}
+-
+-static DECLARE_WORK(numa_crng_init_work, do_numa_crng_init);
+-
+-static void numa_crng_init(void)
+-{
+- if (IS_ENABLED(CONFIG_NUMA))
+- schedule_work(&numa_crng_init_work);
+-}
+-
+-static struct crng_state *select_crng(void)
+-{
+- if (IS_ENABLED(CONFIG_NUMA)) {
+- struct crng_state **pool;
+- int nid = numa_node_id();
+-
+- /* pairs with cmpxchg_release() in do_numa_crng_init() */
+- pool = READ_ONCE(crng_node_pool);
+- if (pool && pool[nid])
+- return pool[nid];
+- }
+-
+- return &primary_crng;
+-}
+-
+ /*
+ * crng_fast_load() can be called by code in the interrupt service
+ * path. So we can't afford to dilly-dally. Returns the number of
+@@ -701,73 +589,71 @@ static int crng_slow_load(const u8 *cp,
+ return 1;
+ }
+
+-static void crng_reseed(struct crng_state *crng)
++static void crng_reseed(void)
+ {
+ unsigned long flags;
+- int i;
++ int i, entropy_count;
+ union {
+ u8 block[CHACHA20_BLOCK_SIZE];
+ u32 key[8];
+ } buf;
+
+- if (crng == &primary_crng) {
+- int entropy_count;
+- do {
+- entropy_count = READ_ONCE(input_pool.entropy_count);
+- if (entropy_count < POOL_MIN_BITS)
+- return;
+- } while (cmpxchg(&input_pool.entropy_count, entropy_count, 0) != entropy_count);
+- extract_entropy(buf.key, sizeof(buf.key));
+- wake_up_interruptible(&random_write_wait);
+- kill_fasync(&fasync, SIGIO, POLL_OUT);
+- } else {
+- _extract_crng(&primary_crng, buf.block);
+- _crng_backtrack_protect(&primary_crng, buf.block,
+- CHACHA20_KEY_SIZE);
+- }
+- spin_lock_irqsave(&crng->lock, flags);
+- for (i = 0; i < 8; i++) {
+- unsigned long rv;
+- if (!arch_get_random_seed_long(&rv) &&
+- !arch_get_random_long(&rv))
+- rv = random_get_entropy();
+- crng->state[i + 4] ^= buf.key[i] ^ rv;
+- }
++ do {
++ entropy_count = READ_ONCE(input_pool.entropy_count);
++ if (entropy_count < POOL_MIN_BITS)
++ return;
++ } while (cmpxchg(&input_pool.entropy_count, entropy_count, 0) != entropy_count);
++ extract_entropy(buf.key, sizeof(buf.key));
++ wake_up_interruptible(&random_write_wait);
++ kill_fasync(&fasync, SIGIO, POLL_OUT);
++
++ spin_lock_irqsave(&primary_crng.lock, flags);
++ for (i = 0; i < 8; i++)
++ primary_crng.state[i + 4] ^= buf.key[i];
+ memzero_explicit(&buf, sizeof(buf));
+- WRITE_ONCE(crng->init_time, jiffies);
+- spin_unlock_irqrestore(&crng->lock, flags);
+- if (crng == &primary_crng && crng_init < 2)
+- crng_finalize_init();
++ WRITE_ONCE(primary_crng.init_time, jiffies);
++ spin_unlock_irqrestore(&primary_crng.lock, flags);
++ if (crng_init < 2) {
++ invalidate_batched_entropy();
++ crng_init = 2;
++ process_random_ready_list();
++ wake_up_interruptible(&crng_init_wait);
++ kill_fasync(&fasync, SIGIO, POLL_IN);
++ pr_notice("crng init done\n");
++ if (unseeded_warning.missed) {
++ pr_notice("%d get_random_xx warning(s) missed due to ratelimiting\n",
++ unseeded_warning.missed);
++ unseeded_warning.missed = 0;
++ }
++ if (urandom_warning.missed) {
++ pr_notice("%d urandom warning(s) missed due to ratelimiting\n",
++ urandom_warning.missed);
++ urandom_warning.missed = 0;
++ }
++ }
+ }
+
+-static void _extract_crng(struct crng_state *crng, u8 out[CHACHA20_BLOCK_SIZE])
++static void extract_crng(u8 out[CHACHA20_BLOCK_SIZE])
+ {
+ unsigned long flags, init_time;
+
+ if (crng_ready()) {
+- init_time = READ_ONCE(crng->init_time);
+- if (time_after(READ_ONCE(crng_global_init_time), init_time) ||
+- time_after(jiffies, init_time + CRNG_RESEED_INTERVAL))
+- crng_reseed(crng);
+- }
+- spin_lock_irqsave(&crng->lock, flags);
+- chacha20_block(&crng->state[0], out);
+- if (crng->state[12] == 0)
+- crng->state[13]++;
+- spin_unlock_irqrestore(&crng->lock, flags);
+-}
+-
+-static void extract_crng(u8 out[CHACHA20_BLOCK_SIZE])
+-{
+- _extract_crng(select_crng(), out);
++ init_time = READ_ONCE(primary_crng.init_time);
++ if (time_after(jiffies, init_time + CRNG_RESEED_INTERVAL))
++ crng_reseed();
++ }
++ spin_lock_irqsave(&primary_crng.lock, flags);
++ chacha20_block(&primary_crng.state[0], out);
++ if (primary_crng.state[12] == 0)
++ primary_crng.state[13]++;
++ spin_unlock_irqrestore(&primary_crng.lock, flags);
+ }
+
+ /*
+ * Use the leftover bytes from the CRNG block output (if there is
+ * enough) to mutate the CRNG key to provide backtracking protection.
+ */
+-static void _crng_backtrack_protect(struct crng_state *crng,
+- u8 tmp[CHACHA20_BLOCK_SIZE], int used)
++static void crng_backtrack_protect(u8 tmp[CHACHA20_BLOCK_SIZE], int used)
+ {
+ unsigned long flags;
+ u32 *s, *d;
+@@ -778,17 +664,12 @@ static void _crng_backtrack_protect(stru
+ extract_crng(tmp);
+ used = 0;
+ }
+- spin_lock_irqsave(&crng->lock, flags);
++ spin_lock_irqsave(&primary_crng.lock, flags);
+ s = (u32 *)&tmp[used];
+- d = &crng->state[4];
++ d = &primary_crng.state[4];
+ for (i = 0; i < 8; i++)
+ *d++ ^= *s++;
+- spin_unlock_irqrestore(&crng->lock, flags);
+-}
+-
+-static void crng_backtrack_protect(u8 tmp[CHACHA20_BLOCK_SIZE], int used)
+-{
+- _crng_backtrack_protect(select_crng(), tmp, used);
++ spin_unlock_irqrestore(&primary_crng.lock, flags);
+ }
+
+ static ssize_t extract_crng_user(void __user *buf, size_t nbytes)
+@@ -1053,16 +934,17 @@ static void extract_entropy(void *buf, s
+ unsigned long flags;
+ u8 seed[BLAKE2S_HASH_SIZE], next_key[BLAKE2S_HASH_SIZE];
+ struct {
+- unsigned long rdrand[32 / sizeof(long)];
++ unsigned long rdseed[32 / sizeof(long)];
+ size_t counter;
+ } block;
+ size_t i;
+
+ trace_extract_entropy(nbytes, input_pool.entropy_count);
+
+- for (i = 0; i < ARRAY_SIZE(block.rdrand); ++i) {
+- if (!arch_get_random_long(&block.rdrand[i]))
+- block.rdrand[i] = random_get_entropy();
++ for (i = 0; i < ARRAY_SIZE(block.rdseed); ++i) {
++ if (!arch_get_random_seed_long(&block.rdseed[i]) &&
++ !arch_get_random_long(&block.rdseed[i]))
++ block.rdseed[i] = random_get_entropy();
+ }
+
+ spin_lock_irqsave(&input_pool.lock, flags);
+@@ -1070,7 +952,7 @@ static void extract_entropy(void *buf, s
+ /* seed = HASHPRF(last_key, entropy_input) */
+ blake2s_final(&input_pool.hash, seed);
+
+- /* next_key = HASHPRF(seed, RDRAND || 0) */
++ /* next_key = HASHPRF(seed, RDSEED || 0) */
+ block.counter = 0;
+ blake2s(next_key, (u8 *)&block, seed, sizeof(next_key), sizeof(block), sizeof(seed));
+ blake2s_init_key(&input_pool.hash, BLAKE2S_HASH_SIZE, next_key, sizeof(next_key));
+@@ -1080,7 +962,7 @@ static void extract_entropy(void *buf, s
+
+ while (nbytes) {
+ i = min_t(size_t, nbytes, BLAKE2S_HASH_SIZE);
+- /* output = HASHPRF(seed, RDRAND || ++counter) */
++ /* output = HASHPRF(seed, RDSEED || ++counter) */
+ ++block.counter;
+ blake2s(buf, (u8 *)&block, seed, i, sizeof(block), sizeof(seed));
+ nbytes -= i;
+@@ -1374,10 +1256,7 @@ static void __init init_std_data(void)
+ int __init rand_initialize(void)
+ {
+ init_std_data();
+- if (crng_need_final_init)
+- crng_finalize_init();
+- crng_initialize_primary();
+- crng_global_init_time = jiffies;
++ crng_initialize();
+ if (ratelimit_disable) {
+ urandom_warning.interval = 0;
+ unseeded_warning.interval = 0;
+@@ -1547,8 +1426,7 @@ static long random_ioctl(struct file *f,
+ return -EPERM;
+ if (crng_init < 2)
+ return -ENODATA;
+- crng_reseed(&primary_crng);
+- WRITE_ONCE(crng_global_init_time, jiffies - 1);
++ crng_reseed();
+ return 0;
+ default:
+ return -EINVAL;
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 11 Feb 2022 14:58:44 +0100
+Subject: random: use SipHash as interrupt entropy accumulator
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit f5eab0e2db4f881fb2b62b3fdad5b9be673dd7ae upstream.
+
+The current fast_mix() function is a piece of classic mailing list
+crypto, where it just sort of sprung up by an anonymous author without a
+lot of real analysis of what precisely it was accomplishing. As an ARX
+permutation alone, there are some easily searchable differential trails
+in it, and as a means of preventing malicious interrupts, it completely
+fails, since it xors new data into the entire state every time. It can't
+really be analyzed as a random permutation, because it clearly isn't,
+and it can't be analyzed as an interesting linear algebraic structure
+either, because it's also not that. There really is very little one can
+say about it in terms of entropy accumulation. It might diffuse bits,
+some of the time, maybe, we hope, I guess. But for the most part, it
+fails to accomplish anything concrete.
+
+As a reminder, the simple goal of add_interrupt_randomness() is to
+simply accumulate entropy until ~64 interrupts have elapsed, and then
+dump it into the main input pool, which uses a cryptographic hash.
+
+It would be nice to have something cryptographically strong in the
+interrupt handler itself, in case a malicious interrupt compromises a
+per-cpu fast pool within the 64 interrupts / 1 second window, and then
+inside of that same window somehow can control its return address and
+cycle counter, even if that's a bit far fetched. However, with a very
+CPU-limited budget, actually doing that remains an active research
+project (and perhaps there'll be something useful for Linux to come out
+of it). And while the abundance of caution would be nice, this isn't
+*currently* the security model, and we don't yet have a fast enough
+solution to make it our security model. Plus there's not exactly a
+pressing need to do that. (And for the avoidance of doubt, the actual
+cluster of 64 accumulated interrupts still gets dumped into our
+cryptographically secure input pool.)
+
+So, for now we are going to stick with the existing interrupt security
+model, which assumes that each cluster of 64 interrupt data samples is
+mostly non-malicious and not colluding with an infoleaker. With this as
+our goal, we have a few more choices, simply aiming to accumulate
+entropy, while discarding the least amount of it.
+
+We know from <https://eprint.iacr.org/2019/198> that random oracles,
+instantiated as computational hash functions, make good entropy
+accumulators and extractors, which is the justification for using
+BLAKE2s in the main input pool. As mentioned, we don't have that luxury
+here, but we also don't have the same security model requirements,
+because we're assuming that there aren't malicious inputs. A
+pseudorandom function instance can approximately behave like a random
+oracle, provided that the key is uniformly random. But since we're not
+concerned with malicious inputs, we can pick a fixed key, which is not
+secret, knowing that "nature" won't interact with a sufficiently chosen
+fixed key by accident. So we pick a PRF with a fixed initial key, and
+accumulate into it continuously, dumping the result every 64 interrupts
+into our cryptographically secure input pool.
+
+For this, we make use of SipHash-1-x on 64-bit and HalfSipHash-1-x on
+32-bit, which are already in use in the kernel's hsiphash family of
+functions and achieve the same performance as the function they replace.
+It would be nice to do two rounds, but we don't exactly have the CPU
+budget handy for that, and one round alone is already sufficient.
+
+As mentioned, we start with a fixed initial key (zeros is fine), and
+allow SipHash's symmetry breaking constants to turn that into a useful
+starting point. Also, since we're dumping the result (or half of it on
+64-bit so as to tax our hash function the same amount on all platforms)
+into the cryptographically secure input pool, there's no point in
+finalizing SipHash's output, since it'll wind up being finalized by
+something much stronger. This means that all we need to do is use the
+ordinary round function word-by-word, as normal SipHash does.
+Simplified, the flow is as follows:
+
+Initialize:
+
+ siphash_state_t state;
+ siphash_init(&state, key={0, 0, 0, 0});
+
+Update (accumulate) on interrupt:
+
+ siphash_update(&state, interrupt_data_and_timing);
+
+Dump into input pool after 64 interrupts:
+
+ blake2s_update(&input_pool, &state, sizeof(state) / 2);
+
+The result of all of this is that the security model is unchanged from
+before -- we assume non-malicious inputs -- yet we now implement that
+model with a stronger argument. I would like to emphasize, again, that
+the purpose of this commit is to improve the existing design, by making
+it analyzable, without changing any fundamental assumptions. There may
+well be value down the road in changing up the existing design, using
+something cryptographically strong, or simply using a ring buffer of
+samples rather than having a fast_mix() at all, or changing which and
+how much data we collect each interrupt so that we can use something
+linear, or a variety of other ideas. This commit does not invalidate the
+potential for those in the future.
+
+For example, in the future, if we're able to characterize the data we're
+collecting on each interrupt, we may be able to inch toward information
+theoretic accumulators. <https://eprint.iacr.org/2021/523> shows that `s
+= ror32(s, 7) ^ x` and `s = ror64(s, 19) ^ x` make very good
+accumulators for 2-monotone distributions, which would apply to
+timestamp counters, like random_get_entropy() or jiffies, but would not
+apply to our current combination of the two values, or to the various
+function addresses and register values we mix in. Alternatively,
+<https://eprint.iacr.org/2021/1002> shows that max-period linear
+functions with no non-trivial invariant subspace make good extractors,
+used in the form `s = f(s) ^ x`. However, this only works if the input
+data is both identical and independent, and obviously a collection of
+address values and counters fails; so it goes with theoretical papers.
+Future directions here may involve trying to characterize more precisely
+what we actually need to collect in the interrupt handler, and building
+something specific around that.
+
+However, as mentioned, the morass of data we're gathering at the
+interrupt handler presently defies characterization, and so we use
+SipHash for now, which works well and performs well.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 94 +++++++++++++++++++++++++++++---------------------
+ 1 file changed, 55 insertions(+), 39 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1142,48 +1142,51 @@ void add_bootloader_randomness(const voi
+ EXPORT_SYMBOL_GPL(add_bootloader_randomness);
+
+ struct fast_pool {
+- union {
+- u32 pool32[4];
+- u64 pool64[2];
+- };
+ struct work_struct mix;
++ unsigned long pool[4];
+ unsigned long last;
+ unsigned int count;
+ u16 reg_idx;
+ };
+
++static DEFINE_PER_CPU(struct fast_pool, irq_randomness) = {
++#ifdef CONFIG_64BIT
++ /* SipHash constants */
++ .pool = { 0x736f6d6570736575UL, 0x646f72616e646f6dUL,
++ 0x6c7967656e657261UL, 0x7465646279746573UL }
++#else
++ /* HalfSipHash constants */
++ .pool = { 0, 0, 0x6c796765U, 0x74656462U }
++#endif
++};
++
+ /*
+- * This is a fast mixing routine used by the interrupt randomness
+- * collector. It's hardcoded for an 128 bit pool and assumes that any
+- * locks that might be needed are taken by the caller.
++ * This is [Half]SipHash-1-x, starting from an empty key. Because
++ * the key is fixed, it assumes that its inputs are non-malicious,
++ * and therefore this has no security on its own. s represents the
++ * 128 or 256-bit SipHash state, while v represents a 128-bit input.
+ */
+-static void fast_mix(u32 pool[4])
++static void fast_mix(unsigned long s[4], const unsigned long *v)
+ {
+- u32 a = pool[0], b = pool[1];
+- u32 c = pool[2], d = pool[3];
+-
+- a += b; c += d;
+- b = rol32(b, 6); d = rol32(d, 27);
+- d ^= a; b ^= c;
+-
+- a += b; c += d;
+- b = rol32(b, 16); d = rol32(d, 14);
+- d ^= a; b ^= c;
+-
+- a += b; c += d;
+- b = rol32(b, 6); d = rol32(d, 27);
+- d ^= a; b ^= c;
+-
+- a += b; c += d;
+- b = rol32(b, 16); d = rol32(d, 14);
+- d ^= a; b ^= c;
++ size_t i;
+
+- pool[0] = a; pool[1] = b;
+- pool[2] = c; pool[3] = d;
++ for (i = 0; i < 16 / sizeof(long); ++i) {
++ s[3] ^= v[i];
++#ifdef CONFIG_64BIT
++ s[0] += s[1]; s[1] = rol64(s[1], 13); s[1] ^= s[0]; s[0] = rol64(s[0], 32);
++ s[2] += s[3]; s[3] = rol64(s[3], 16); s[3] ^= s[2];
++ s[0] += s[3]; s[3] = rol64(s[3], 21); s[3] ^= s[0];
++ s[2] += s[1]; s[1] = rol64(s[1], 17); s[1] ^= s[2]; s[2] = rol64(s[2], 32);
++#else
++ s[0] += s[1]; s[1] = rol32(s[1], 5); s[1] ^= s[0]; s[0] = rol32(s[0], 16);
++ s[2] += s[3]; s[3] = rol32(s[3], 8); s[3] ^= s[2];
++ s[0] += s[3]; s[3] = rol32(s[3], 7); s[3] ^= s[0];
++ s[2] += s[1]; s[1] = rol32(s[1], 13); s[1] ^= s[2]; s[2] = rol32(s[2], 16);
++#endif
++ s[0] ^= v[i];
++ }
+ }
+
+-static DEFINE_PER_CPU(struct fast_pool, irq_randomness);
+-
+ #ifdef CONFIG_SMP
+ /*
+ * This function is called when the CPU has just come online, with
+@@ -1225,7 +1228,15 @@ static unsigned long get_reg(struct fast
+ static void mix_interrupt_randomness(struct work_struct *work)
+ {
+ struct fast_pool *fast_pool = container_of(work, struct fast_pool, mix);
+- u32 pool[4];
++ /*
++ * The size of the copied stack pool is explicitly 16 bytes so that we
++ * tax mix_pool_byte()'s compression function the same amount on all
++ * platforms. This means on 64-bit we copy half the pool into this,
++ * while on 32-bit we copy all of it. The entropy is supposed to be
++ * sufficiently dispersed between bits that in the sponge-like
++ * half case, on average we don't wind up "losing" some.
++ */
++ u8 pool[16];
+
+ /* Check to see if we're running on the wrong CPU due to hotplug. */
+ local_irq_disable();
+@@ -1238,7 +1249,7 @@ static void mix_interrupt_randomness(str
+ * Copy the pool to the stack so that the mixer always has a
+ * consistent view, before we reenable irqs again.
+ */
+- memcpy(pool, fast_pool->pool32, sizeof(pool));
++ memcpy(pool, fast_pool->pool, sizeof(pool));
+ fast_pool->count = 0;
+ fast_pool->last = jiffies;
+ local_irq_enable();
+@@ -1262,25 +1273,30 @@ void add_interrupt_randomness(int irq)
+ struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness);
+ struct pt_regs *regs = get_irq_regs();
+ unsigned int new_count;
++ union {
++ u32 u32[4];
++ u64 u64[2];
++ unsigned long longs[16 / sizeof(long)];
++ } irq_data;
+
+ if (cycles == 0)
+ cycles = get_reg(fast_pool, regs);
+
+ if (sizeof(cycles) == 8)
+- fast_pool->pool64[0] ^= cycles ^ rol64(now, 32) ^ irq;
++ irq_data.u64[0] = cycles ^ rol64(now, 32) ^ irq;
+ else {
+- fast_pool->pool32[0] ^= cycles ^ irq;
+- fast_pool->pool32[1] ^= now;
++ irq_data.u32[0] = cycles ^ irq;
++ irq_data.u32[1] = now;
+ }
+
+ if (sizeof(unsigned long) == 8)
+- fast_pool->pool64[1] ^= regs ? instruction_pointer(regs) : _RET_IP_;
++ irq_data.u64[1] = regs ? instruction_pointer(regs) : _RET_IP_;
+ else {
+- fast_pool->pool32[2] ^= regs ? instruction_pointer(regs) : _RET_IP_;
+- fast_pool->pool32[3] ^= get_reg(fast_pool, regs);
++ irq_data.u32[2] = regs ? instruction_pointer(regs) : _RET_IP_;
++ irq_data.u32[3] = get_reg(fast_pool, regs);
+ }
+
+- fast_mix(fast_pool->pool32);
++ fast_mix(fast_pool->pool, irq_data.longs);
+ new_count = ++fast_pool->count;
+
+ if (new_count & MIX_INFLIGHT)
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 3 May 2022 15:30:45 +0200
+Subject: random: use static branch for crng_ready()
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit f5bda35fba615ace70a656d4700423fa6c9bebee upstream.
+
+Since crng_ready() is only false briefly during initialization and then
+forever after becomes true, we don't need to evaluate it after, making
+it a prime candidate for a static branch.
+
+One complication, however, is that it changes state in a particular call
+to credit_init_bits(), which might be made from atomic context, which
+means we must kick off a workqueue to change the static key. Further
+complicating things, credit_init_bits() may be called sufficiently early
+on in system initialization such that system_wq is NULL.
+
+Fortunately, there exists the nice function execute_in_process_context(),
+which will immediately execute the function if !in_interrupt(), and
+otherwise defer it to a workqueue. During early init, before workqueues
+are available, in_interrupt() is always false, because interrupts
+haven't even been enabled yet, which means the function in that case
+executes immediately. Later on, after workqueues are available,
+in_interrupt() might be true, but in that case, the work is queued in
+system_wq and all goes well.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Sultan Alsawaf <sultan@kerneltoast.com>
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -77,8 +77,9 @@ static enum {
+ CRNG_EMPTY = 0, /* Little to no entropy collected */
+ CRNG_EARLY = 1, /* At least POOL_EARLY_BITS collected */
+ CRNG_READY = 2 /* Fully initialized with POOL_READY_BITS collected */
+-} crng_init = CRNG_EMPTY;
+-#define crng_ready() (likely(crng_init >= CRNG_READY))
++} crng_init __read_mostly = CRNG_EMPTY;
++static DEFINE_STATIC_KEY_FALSE(crng_is_ready);
++#define crng_ready() (static_branch_likely(&crng_is_ready) || crng_init >= CRNG_READY)
+ /* Various types of waiters for crng_init->CRNG_READY transition. */
+ static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
+ static struct fasync_struct *fasync;
+@@ -108,6 +109,11 @@ bool rng_is_initialized(void)
+ }
+ EXPORT_SYMBOL(rng_is_initialized);
+
++static void crng_set_ready(struct work_struct *work)
++{
++ static_branch_enable(&crng_is_ready);
++}
++
+ /* Used by wait_for_random_bytes(), and considered an entropy collector, below. */
+ static void try_to_generate_entropy(void);
+
+@@ -267,7 +273,7 @@ static void crng_reseed(void)
+ ++next_gen;
+ WRITE_ONCE(base_crng.generation, next_gen);
+ WRITE_ONCE(base_crng.birth, jiffies);
+- if (!crng_ready())
++ if (!static_branch_likely(&crng_is_ready))
+ crng_init = CRNG_READY;
+ spin_unlock_irqrestore(&base_crng.lock, flags);
+ memzero_explicit(key, sizeof(key));
+@@ -782,6 +788,7 @@ static void extract_entropy(void *buf, s
+
+ static void credit_init_bits(size_t nbits)
+ {
++ static struct execute_work set_ready;
+ unsigned int new, orig, add;
+ unsigned long flags;
+
+@@ -797,6 +804,7 @@ static void credit_init_bits(size_t nbit
+
+ if (orig < POOL_READY_BITS && new >= POOL_READY_BITS) {
+ crng_reseed(); /* Sets crng_init to CRNG_READY under base_crng.lock. */
++ execute_in_process_context(crng_set_ready, &set_ready);
+ process_random_ready_list();
+ wake_up_interruptible(&crng_init_wait);
+ kill_fasync(&fasync, SIGIO, POLL_IN);
+@@ -1306,7 +1314,7 @@ SYSCALL_DEFINE3(getrandom, char __user *
+ if (count > INT_MAX)
+ count = INT_MAX;
+
+- if (!(flags & GRND_INSECURE) && !crng_ready()) {
++ if (!crng_ready() && !(flags & GRND_INSECURE)) {
+ int ret;
+
+ if (flags & GRND_NONBLOCK)
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 8 May 2022 13:20:30 +0200
+Subject: random: use symbolic constants for crng_init states
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit e3d2c5e79a999aa4e7d6f0127e16d3da5a4ff70d upstream.
+
+crng_init represents a state machine, with three states, and various
+rules for transitions. For the longest time, we've been managing these
+with "0", "1", and "2", and expecting people to figure it out. To make
+the code more obvious, replace these with proper enum values
+representing the transition, and then redocument what each of these
+states mean.
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Cc: Joe Perches <joe@perches.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 38 +++++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -70,16 +70,16 @@
+ *********************************************************************/
+
+ /*
+- * crng_init = 0 --> Uninitialized
+- * 1 --> Initialized
+- * 2 --> Initialized from input_pool
+- *
+ * crng_init is protected by base_crng->lock, and only increases
+- * its value (from 0->1->2).
++ * its value (from empty->early->ready).
+ */
+-static int crng_init = 0;
+-#define crng_ready() (likely(crng_init > 1))
+-/* Various types of waiters for crng_init->2 transition. */
++static enum {
++ CRNG_EMPTY = 0, /* Little to no entropy collected */
++ CRNG_EARLY = 1, /* At least POOL_EARLY_BITS collected */
++ CRNG_READY = 2 /* Fully initialized with POOL_READY_BITS collected */
++} crng_init = CRNG_EMPTY;
++#define crng_ready() (likely(crng_init >= CRNG_READY))
++/* Various types of waiters for crng_init->CRNG_READY transition. */
+ static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
+ static struct fasync_struct *fasync;
+ static DEFINE_SPINLOCK(random_ready_chain_lock);
+@@ -282,7 +282,7 @@ static void crng_reseed(void)
+ WRITE_ONCE(base_crng.generation, next_gen);
+ WRITE_ONCE(base_crng.birth, jiffies);
+ if (!crng_ready()) {
+- crng_init = 2;
++ crng_init = CRNG_READY;
+ finalize_init = true;
+ }
+ spin_unlock_irqrestore(&base_crng.lock, flags);
+@@ -376,7 +376,7 @@ static void crng_make_state(u32 chacha_s
+ * For the fast path, we check whether we're ready, unlocked first, and
+ * then re-check once locked later. In the case where we're really not
+ * ready, we do fast key erasure with the base_crng directly, extracting
+- * when crng_init==0.
++ * when crng_init is CRNG_EMPTY.
+ */
+ if (!crng_ready()) {
+ bool ready;
+@@ -384,7 +384,7 @@ static void crng_make_state(u32 chacha_s
+ spin_lock_irqsave(&base_crng.lock, flags);
+ ready = crng_ready();
+ if (!ready) {
+- if (crng_init == 0)
++ if (crng_init == CRNG_EMPTY)
+ extract_entropy(base_crng.key, sizeof(base_crng.key));
+ crng_fast_key_erasure(base_crng.key, chacha_state,
+ random_data, random_data_len);
+@@ -735,8 +735,8 @@ EXPORT_SYMBOL(get_random_bytes_arch);
+
+ enum {
+ POOL_BITS = BLAKE2S_HASH_SIZE * 8,
+- POOL_INIT_BITS = POOL_BITS, /* No point in settling for less. */
+- POOL_FAST_INIT_BITS = POOL_INIT_BITS / 2
++ POOL_READY_BITS = POOL_BITS, /* When crng_init->CRNG_READY */
++ POOL_EARLY_BITS = POOL_READY_BITS / 2 /* When crng_init->CRNG_EARLY */
+ };
+
+ static struct {
+@@ -831,13 +831,13 @@ static void credit_init_bits(size_t nbit
+ init_bits = min_t(unsigned int, POOL_BITS, orig + add);
+ } while (cmpxchg(&input_pool.init_bits, orig, init_bits) != orig);
+
+- if (!crng_ready() && init_bits >= POOL_INIT_BITS)
++ if (!crng_ready() && init_bits >= POOL_READY_BITS)
+ crng_reseed();
+- else if (unlikely(crng_init == 0 && init_bits >= POOL_FAST_INIT_BITS)) {
++ else if (unlikely(crng_init == CRNG_EMPTY && init_bits >= POOL_EARLY_BITS)) {
+ spin_lock_irqsave(&base_crng.lock, flags);
+- if (crng_init == 0) {
++ if (crng_init == CRNG_EMPTY) {
+ extract_entropy(base_crng.key, sizeof(base_crng.key));
+- crng_init = 1;
++ crng_init = CRNG_EARLY;
+ }
+ spin_unlock_irqrestore(&base_crng.lock, flags);
+ }
+@@ -1510,7 +1510,7 @@ const struct file_operations urandom_fop
+ *
+ * - write_wakeup_threshold - the amount of entropy in the input pool
+ * below which write polls to /dev/random will unblock, requesting
+- * more entropy, tied to the POOL_INIT_BITS constant. It is writable
++ * more entropy, tied to the POOL_READY_BITS constant. It is writable
+ * to avoid breaking old userspaces, but writing to it does not
+ * change any behavior of the RNG.
+ *
+@@ -1525,7 +1525,7 @@ const struct file_operations urandom_fop
+ #include <linux/sysctl.h>
+
+ static int sysctl_random_min_urandom_seed = CRNG_RESEED_INTERVAL / HZ;
+-static int sysctl_random_write_wakeup_bits = POOL_INIT_BITS;
++static int sysctl_random_write_wakeup_bits = POOL_READY_BITS;
+ static int sysctl_poolsize = POOL_BITS;
+ static u8 sysctl_bootid[UUID_SIZE];
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Stephen Boyd <swboyd@chromium.org>
+Date: Thu, 5 Sep 2019 09:41:12 -0700
+Subject: random: Use wait_event_freezable() in add_hwgenerator_randomness()
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+commit 59b569480dc8bb9dce57cdff133853a842dfd805 upstream.
+
+Sebastian reports that after commit ff296293b353 ("random: Support freezable
+kthreads in add_hwgenerator_randomness()") we can call might_sleep() when the
+task state is TASK_INTERRUPTIBLE (state=1). This leads to the following warning.
+
+ do not call blocking ops when !TASK_RUNNING; state=1 set at [<00000000349d1489>] prepare_to_wait_event+0x5a/0x180
+ WARNING: CPU: 0 PID: 828 at kernel/sched/core.c:6741 __might_sleep+0x6f/0x80
+ Modules linked in:
+
+ CPU: 0 PID: 828 Comm: hwrng Not tainted 5.3.0-rc7-next-20190903+ #46
+ RIP: 0010:__might_sleep+0x6f/0x80
+
+ Call Trace:
+ kthread_freezable_should_stop+0x1b/0x60
+ add_hwgenerator_randomness+0xdd/0x130
+ hwrng_fillfn+0xbf/0x120
+ kthread+0x10c/0x140
+ ret_from_fork+0x27/0x50
+
+We shouldn't call kthread_freezable_should_stop() from deep within the
+wait_event code because the task state is still set as
+TASK_INTERRUPTIBLE instead of TASK_RUNNING and
+kthread_freezable_should_stop() will try to call into the freezer with
+the task in the wrong state. Use wait_event_freezable() instead so that
+it calls schedule() in the right place and tries to enter the freezer
+when the task state is TASK_RUNNING instead.
+
+Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Tested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: Keerthy <j-keerthy@ti.com>
+Fixes: ff296293b353 ("random: Support freezable kthreads in add_hwgenerator_randomness()")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -327,6 +327,7 @@
+ #include <linux/percpu.h>
+ #include <linux/cryptohash.h>
+ #include <linux/fips.h>
++#include <linux/freezer.h>
+ #include <linux/ptrace.h>
+ #include <linux/workqueue.h>
+ #include <linux/irq.h>
+@@ -2420,7 +2421,6 @@ void add_hwgenerator_randomness(const ch
+ size_t entropy)
+ {
+ struct entropy_store *poolp = &input_pool;
+- bool frozen = false;
+
+ if (unlikely(crng_init == 0)) {
+ crng_fast_load(buffer, count);
+@@ -2431,13 +2431,11 @@ void add_hwgenerator_randomness(const ch
+ * We'll be woken up again once below random_write_wakeup_thresh,
+ * or when the calling thread is about to terminate.
+ */
+- wait_event_interruptible(random_write_wait,
+- kthread_freezable_should_stop(&frozen) ||
++ wait_event_freezable(random_write_wait,
++ kthread_should_stop() ||
+ ENTROPY_BITS(&input_pool) <= random_write_wakeup_bits);
+- if (!frozen) {
+- mix_pool_bytes(poolp, buffer, count);
+- credit_entropy_bits(poolp, entropy);
+- }
++ mix_pool_bytes(poolp, buffer, count);
++ credit_entropy_bits(poolp, entropy);
+ }
+ EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 19 May 2022 17:31:37 -0600
+Subject: random: wire up fops->splice_{read,write}_iter()
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 79025e727a846be6fd215ae9cdb654368ac3f9a6 upstream.
+
+Now that random/urandom is using {read,write}_iter, we can wire it up to
+using the generic splice handlers.
+
+Fixes: 36e2c7421f02 ("fs: don't allow splice read/write without explicit ops")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+[Jason: added the splice_write path. Note that sendfile() and such still
+ does not work for read, though it does for write, because of a file
+ type restriction in splice_direct_to_actor(), which I'll address
+ separately.]
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1381,6 +1381,8 @@ const struct file_operations random_fops
+ .unlocked_ioctl = random_ioctl,
+ .fasync = random_fasync,
+ .llseek = noop_llseek,
++ .splice_read = generic_file_splice_read,
++ .splice_write = iter_file_splice_write,
+ };
+
+ const struct file_operations urandom_fops = {
+@@ -1389,6 +1391,8 @@ const struct file_operations urandom_fop
+ .unlocked_ioctl = random_ioctl,
+ .fasync = random_fasync,
+ .llseek = noop_llseek,
++ .splice_read = generic_file_splice_read,
++ .splice_write = iter_file_splice_write,
+ };
+
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 9 Feb 2022 18:42:13 +0100
+Subject: random: zero buffer after reading entropy from userspace
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 7b5164fb1279bf0251371848e40bae646b59b3a8 upstream.
+
+This buffer may contain entropic data that shouldn't stick around longer
+than needed, so zero out the temporary buffer at the end of write_pool().
+
+Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Reviewed-by: Jann Horn <jannh@google.com>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -500,6 +500,7 @@ static void crng_reseed(void)
+ int entropy_count;
+ unsigned long next_gen;
+ u8 key[CHACHA20_KEY_SIZE];
++ bool finalize_init = false;
+
+ /*
+ * First we make sure we have POOL_MIN_BITS of entropy in the pool,
+@@ -527,12 +528,14 @@ static void crng_reseed(void)
+ ++next_gen;
+ WRITE_ONCE(base_crng.generation, next_gen);
+ WRITE_ONCE(base_crng.birth, jiffies);
+- spin_unlock_irqrestore(&base_crng.lock, flags);
+- memzero_explicit(key, sizeof(key));
+-
+ if (crng_init < 2) {
+ invalidate_batched_entropy();
+ crng_init = 2;
++ finalize_init = true;
++ }
++ spin_unlock_irqrestore(&base_crng.lock, flags);
++ memzero_explicit(key, sizeof(key));
++ if (finalize_init) {
+ process_random_ready_list();
+ wake_up_interruptible(&crng_init_wait);
+ kill_fasync(&fasync, SIGIO, POLL_IN);
+@@ -1334,19 +1337,24 @@ static unsigned int random_poll(struct f
+ static int write_pool(const char __user *ubuf, size_t count)
+ {
+ size_t len;
++ int ret = 0;
+ u8 block[BLAKE2S_BLOCK_SIZE];
+
+ while (count) {
+ len = min(count, sizeof(block));
+- if (copy_from_user(block, ubuf, len))
+- return -EFAULT;
++ if (copy_from_user(block, ubuf, len)) {
++ ret = -EFAULT;
++ goto out;
++ }
+ count -= len;
+ ubuf += len;
+ mix_pool_bytes(block, len);
+ cond_resched();
+ }
+
+- return 0;
++out:
++ memzero_explicit(block, sizeof(block));
++ return ret;
+ }
+
+ static ssize_t random_write(struct file *file, const char __user *buffer,
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Sun, 17 Nov 2019 08:48:17 +0800
+Subject: Revert "hwrng: core - Freeze khwrng thread during suspend"
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 08e97aec700aeff54c4847f170e566cbd7e14e81 upstream.
+
+This reverts commit 03a3bb7ae631 ("hwrng: core - Freeze khwrng
+thread during suspend"), ff296293b353 ("random: Support freezable
+kthreads in add_hwgenerator_randomness()") and 59b569480dc8 ("random:
+Use wait_event_freezable() in add_hwgenerator_randomness()").
+
+These patches introduced regressions and we need more time to
+get them ready for mainline.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -327,7 +327,6 @@
+ #include <linux/percpu.h>
+ #include <linux/cryptohash.h>
+ #include <linux/fips.h>
+-#include <linux/freezer.h>
+ #include <linux/ptrace.h>
+ #include <linux/workqueue.h>
+ #include <linux/irq.h>
+@@ -2431,8 +2430,7 @@ void add_hwgenerator_randomness(const ch
+ * We'll be woken up again once below random_write_wakeup_thresh,
+ * or when the calling thread is about to terminate.
+ */
+- wait_event_freezable(random_write_wait,
+- kthread_should_stop() ||
++ wait_event_interruptible(random_write_wait, kthread_should_stop() ||
+ ENTROPY_BITS(&input_pool) <= random_write_wakeup_bits);
+ mix_pool_bytes(poolp, buffer, count);
+ credit_entropy_bits(poolp, entropy);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 7 Jun 2022 10:40:05 +0200
+Subject: Revert "random: use static branch for crng_ready()"
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+This reverts upstream commit f5bda35fba615ace70a656d4700423fa6c9bebee
+from stable. It's not essential and will take some time during 5.19 to
+work out properly.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -79,8 +79,7 @@ static enum {
+ CRNG_EARLY = 1, /* At least POOL_EARLY_BITS collected */
+ CRNG_READY = 2 /* Fully initialized with POOL_READY_BITS collected */
+ } crng_init __read_mostly = CRNG_EMPTY;
+-static DEFINE_STATIC_KEY_FALSE(crng_is_ready);
+-#define crng_ready() (static_branch_likely(&crng_is_ready) || crng_init >= CRNG_READY)
++#define crng_ready() (likely(crng_init >= CRNG_READY))
+ /* Various types of waiters for crng_init->CRNG_READY transition. */
+ static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
+ static struct fasync_struct *fasync;
+@@ -110,11 +109,6 @@ bool rng_is_initialized(void)
+ }
+ EXPORT_SYMBOL(rng_is_initialized);
+
+-static void __cold crng_set_ready(struct work_struct *work)
+-{
+- static_branch_enable(&crng_is_ready);
+-}
+-
+ /* Used by wait_for_random_bytes(), and considered an entropy collector, below. */
+ static void try_to_generate_entropy(void);
+
+@@ -268,7 +262,7 @@ static void crng_reseed(void)
+ ++next_gen;
+ WRITE_ONCE(base_crng.generation, next_gen);
+ WRITE_ONCE(base_crng.birth, jiffies);
+- if (!static_branch_likely(&crng_is_ready))
++ if (!crng_ready())
+ crng_init = CRNG_READY;
+ spin_unlock_irqrestore(&base_crng.lock, flags);
+ memzero_explicit(key, sizeof(key));
+@@ -709,7 +703,6 @@ static void extract_entropy(void *buf, s
+
+ static void __cold _credit_init_bits(size_t bits)
+ {
+- static struct execute_work set_ready;
+ unsigned int new, orig, add;
+ unsigned long flags;
+
+@@ -725,7 +718,6 @@ static void __cold _credit_init_bits(siz
+
+ if (orig < POOL_READY_BITS && new >= POOL_READY_BITS) {
+ crng_reseed(); /* Sets crng_init to CRNG_READY under base_crng.lock. */
+- execute_in_process_context(crng_set_ready, &set_ready);
+ process_random_ready_list();
+ wake_up_interruptible(&crng_init_wait);
+ kill_fasync(&fasync, SIGIO, POLL_IN);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 23 Apr 2022 21:11:41 +0200
+Subject: s390: define get_cycles macro for arch-override
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 2e3df523256cb9836de8441e9c791a796759bb3c upstream.
+
+S390x defines a get_cycles() function, but it does not do the usual
+`#define get_cycles get_cycles` dance, making it impossible for generic
+code to see if an arch-specific function was defined. While the
+get_cycles() ifdef is not currently used, the following timekeeping
+patch in this series will depend on the macro existing (or not existing)
+when defining random_get_entropy().
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/timex.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/s390/include/asm/timex.h
++++ b/arch/s390/include/asm/timex.h
+@@ -177,6 +177,7 @@ static inline cycles_t get_cycles(void)
+ {
+ return (cycles_t) get_tod_clock() >> 2;
+ }
++#define get_cycles get_cycles
+
+ int get_phys_clock(unsigned long *clock);
+ void init_cpu_timer(void);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 10 Jan 2020 14:54:15 +0000
+Subject: s390: Remove arch_has_random, arch_has_random_seed
+
+From: Richard Henderson <richard.henderson@linaro.org>
+
+commit 5e054c820f59bbb9714d5767f5f476581c309ca8 upstream.
+
+These symbols are currently part of the generic archrandom.h
+interface, but are currently unused and can be removed.
+
+Signed-off-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20200110145422.49141-4-broonie@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/archrandom.h | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+--- a/arch/s390/include/asm/archrandom.h
++++ b/arch/s390/include/asm/archrandom.h
+@@ -26,18 +26,6 @@ static void s390_arch_random_generate(u8
+ atomic64_add(nbytes, &s390_arch_random_counter);
+ }
+
+-static inline bool arch_has_random(void)
+-{
+- if (static_branch_likely(&s390_arch_random_available))
+- return true;
+- return false;
+-}
+-
+-static inline bool arch_has_random_seed(void)
+-{
+- return arch_has_random();
+-}
+-
+ static inline bool arch_get_random_long(unsigned long *v)
+ {
+ if (static_branch_likely(&s390_arch_random_available)) {
9p-missing-chunk-of-fs-9p-don-t-update-file-type-when-updating-file-attributes.patch
+crypto-chacha20-fix-keystream-alignment-for-chacha20_block.patch
+random-always-fill-buffer-in-get_random_bytes_wait.patch
+random-optimize-add_interrupt_randomness.patch
+drivers-char-random.c-remove-unused-dont_count_entropy.patch
+random-fix-whitespace-pre-random-bytes-work.patch
+random-return-nbytes-filled-from-hw-rng.patch
+random-add-a-config-option-to-trust-the-cpu-s-hwrng.patch
+random-remove-preempt-disabled-region.patch
+random-make-crng-state-queryable.patch
+random-make-cpu-trust-a-boot-parameter.patch
+drivers-char-random.c-constify-poolinfo_table.patch
+drivers-char-random.c-remove-unused-stuct-poolinfo-poolbits.patch
+drivers-char-random.c-make-primary_crng-static.patch
+random-only-read-from-dev-random-after-its-pool-has-received-128-bits.patch
+random-move-rand_initialize-earlier.patch
+random-document-get_random_int-family.patch
+latent_entropy-avoid-build-error-when-plugin-cflags-are-not-set.patch
+random-fix-soft-lockup-when-trying-to-read-from-an-uninitialized-blocking-pool.patch
+random-support-freezable-kthreads-in-add_hwgenerator_randomness.patch
+fdt-add-support-for-rng-seed.patch
+random-use-wait_event_freezable-in-add_hwgenerator_randomness.patch
+char-random-add-a-newline-at-the-end-of-the-file.patch
+revert-hwrng-core-freeze-khwrng-thread-during-suspend.patch
+crypto-deduplicate-le32_to_cpu_array-and-cpu_to_le32_array.patch
+crypto-blake2s-generic-c-library-implementation-and-selftest.patch
+lib-crypto-blake2s-move-hmac-construction-into-wireguard.patch
+lib-crypto-sha1-re-roll-loops-to-reduce-code-size.patch
+random-don-t-wake-crng_init_wait-when-crng_init-1.patch
+random-add-a-urandom_read_nowait-for-random-apis-that-don-t-warn.patch
+random-add-grnd_insecure-to-return-best-effort-non-cryptographic-bytes.patch
+random-ignore-grnd_random-in-getentropy-2.patch
+random-make-dev-random-be-almost-like-dev-urandom.patch
+char-random-silence-a-lockdep-splat-with-printk.patch
+random-fix-crash-on-multiple-early-calls-to-add_bootloader_randomness.patch
+random-remove-the-blocking-pool.patch
+random-delete-code-to-pull-data-into-pools.patch
+random-remove-kernel.random.read_wakeup_threshold.patch
+random-remove-unnecessary-unlikely.patch
+random-convert-to-entropy_bits-for-better-code-readability.patch
+random-add-and-use-pr_fmt.patch
+random-fix-typo-in-add_timer_randomness.patch
+random-remove-some-dead-code-of-poolinfo.patch
+random-split-primary-secondary-crng-init-paths.patch
+random-avoid-warnings-for-config_numa-builds.patch
+x86-remove-arch_has_random-arch_has_random_seed.patch
+powerpc-remove-arch_has_random-arch_has_random_seed.patch
+s390-remove-arch_has_random-arch_has_random_seed.patch
+linux-random.h-remove-arch_has_random-arch_has_random_seed.patch
+linux-random.h-use-false-with-bool.patch
+linux-random.h-mark-config_arch_random-functions-__must_check.patch
+powerpc-use-bool-in-archrandom.h.patch
+random-add-arch_get_random_-long_early.patch
+random-avoid-arch_get_random_seed_long-when-collecting-irq-randomness.patch
+random-remove-dead-code-left-over-from-blocking-pool.patch
+maintainers-co-maintain-random.c.patch
+crypto-blake2s-include-linux-bug.h-instead-of-asm-bug.h.patch
+crypto-blake2s-adjust-include-guard-naming.patch
+random-document-add_hwgenerator_randomness-with-other-input-functions.patch
+random-remove-unused-irq_flags-argument-from-add_interrupt_randomness.patch
+random-use-blake2s-instead-of-sha1-in-extraction.patch
+random-do-not-sign-extend-bytes-for-rotation-when-mixing.patch
+random-do-not-re-init-if-crng_reseed-completes-before-primary-init.patch
+random-mix-bootloader-randomness-into-pool.patch
+random-harmonize-crng-init-done-messages.patch
+random-use-is_enabled-config_numa-instead-of-ifdefs.patch
+random-initialize-chacha20-constants-with-correct-endianness.patch
+random-early-initialization-of-chacha-constants.patch
+random-avoid-superfluous-call-to-rdrand-in-crng-extraction.patch
+random-don-t-reset-crng_init_cnt-on-urandom_read.patch
+random-fix-typo-in-comments.patch
+random-cleanup-poolinfo-abstraction.patch
+crypto-chacha20-fix-chacha20_block-keystream-alignment-again.patch
+random-cleanup-integer-types.patch
+random-remove-incomplete-last_data-logic.patch
+random-remove-unused-extract_entropy-reserved-argument.patch
+random-try-to-actively-add-entropy-rather-than-passively-wait-for-it.patch
+random-rather-than-entropy_store-abstraction-use-global.patch
+random-remove-unused-output_pool-constants.patch
+random-de-duplicate-input_pool-constants.patch
+random-prepend-remaining-pool-constants-with-pool_.patch
+random-cleanup-fractional-entropy-shift-constants.patch
+random-access-input_pool_data-directly-rather-than-through-pointer.patch
+random-simplify-arithmetic-function-flow-in-account.patch
+random-continually-use-hwgenerator-randomness.patch
+random-access-primary_pool-directly-rather-than-through-pointer.patch
+random-only-call-crng_finalize_init-for-primary_crng.patch
+random-use-computational-hash-for-entropy-extraction.patch
+random-simplify-entropy-debiting.patch
+random-use-linear-min-entropy-accumulation-crediting.patch
+random-always-wake-up-entropy-writers-after-extraction.patch
+random-make-credit_entropy_bits-always-safe.patch
+random-remove-use_input_pool-parameter-from-crng_reseed.patch
+random-remove-batched-entropy-locking.patch
+random-fix-locking-in-crng_fast_load.patch
+random-use-rdseed-instead-of-rdrand-in-entropy-extraction.patch
+random-inline-leaves-of-rand_initialize.patch
+random-ensure-early-rdseed-goes-through-mixer-on-init.patch
+random-do-not-xor-rdrand-when-writing-into-dev-random.patch
+random-absorb-fast-pool-into-input-pool-after-fast-load.patch
+random-use-hash-function-for-crng_slow_load.patch
+random-remove-outdated-int_max-6-check-in-urandom_read.patch
+random-zero-buffer-after-reading-entropy-from-userspace.patch
+random-tie-batched-entropy-generation-to-base_crng-generation.patch
+random-remove-ifdef-d-out-interrupt-bench.patch
+random-remove-unused-tracepoints.patch
+random-add-proper-spdx-header.patch
+random-deobfuscate-irq-u32-u64-contributions.patch
+random-introduce-drain_entropy-helper-to-declutter-crng_reseed.patch
+random-remove-useless-header-comment.patch
+random-remove-whitespace-and-reorder-includes.patch
+random-group-initialization-wait-functions.patch
+random-group-entropy-extraction-functions.patch
+random-group-entropy-collection-functions.patch
+random-group-userspace-read-write-functions.patch
+random-group-sysctl-functions.patch
+random-rewrite-header-introductory-comment.patch
+random-defer-fast-pool-mixing-to-worker.patch
+random-do-not-take-pool-spinlock-at-boot.patch
+random-unify-early-init-crng-load-accounting.patch
+random-check-for-crng_init-0-in-add_device_randomness.patch
+random-pull-add_hwgenerator_randomness-declaration-into-random.h.patch
+random-clear-fast-pool-crng-and-batches-in-cpuhp-bring-up.patch
+random-round-robin-registers-as-ulong-not-u32.patch
+random-only-wake-up-writers-after-zap-if-threshold-was-passed.patch
+random-cleanup-uuid-handling.patch
+random-unify-cycles_t-and-jiffies-usage-and-types.patch
+random-do-crng-pre-init-loading-in-worker-rather-than-irq.patch
+random-give-sysctl_random_min_urandom_seed-a-more-sensible-value.patch
+random-don-t-let-644-read-only-sysctls-be-written-to.patch
+random-replace-custom-notifier-chain-with-standard-one.patch
+random-use-siphash-as-interrupt-entropy-accumulator.patch
+random-make-consistent-usage-of-crng_ready.patch
+random-reseed-more-often-immediately-after-booting.patch
+random-check-for-signal-and-try-earlier-when-generating-entropy.patch
+random-skip-fast_init-if-hwrng-provides-large-chunk-of-entropy.patch
+random-treat-bootloader-trust-toggle-the-same-way-as-cpu-trust-toggle.patch
+random-re-add-removed-comment-about-get_random_-u32-u64-reseeding.patch
+random-mix-build-time-latent-entropy-into-pool-at-init.patch
+random-do-not-split-fast-init-input-in-add_hwgenerator_randomness.patch
+random-do-not-allow-user-to-keep-crng-key-around-on-stack.patch
+random-check-for-signal_pending-outside-of-need_resched-check.patch
+random-check-for-signals-every-page_size-chunk-of-dev-random.patch
+random-make-random_get_entropy-return-an-unsigned-long.patch
+random-document-crng_fast_key_erasure-destination-possibility.patch
+random-fix-sysctl-documentation-nits.patch
+init-call-time_init-before-rand_initialize.patch
+ia64-define-get_cycles-macro-for-arch-override.patch
+s390-define-get_cycles-macro-for-arch-override.patch
+parisc-define-get_cycles-macro-for-arch-override.patch
+alpha-define-get_cycles-macro-for-arch-override.patch
+powerpc-define-get_cycles-macro-for-arch-override.patch
+timekeeping-add-raw-clock-fallback-for-random_get_entropy.patch
+m68k-use-fallback-for-random_get_entropy-instead-of-zero.patch
+mips-use-fallback-for-random_get_entropy-instead-of-just-c0-random.patch
+arm-use-fallback-for-random_get_entropy-instead-of-zero.patch
+nios2-use-fallback-for-random_get_entropy-instead-of-zero.patch
+x86-tsc-use-fallback-for-random_get_entropy-instead-of-zero.patch
+um-use-fallback-for-random_get_entropy-instead-of-zero.patch
+sparc-use-fallback-for-random_get_entropy-instead-of-zero.patch
+xtensa-use-fallback-for-random_get_entropy-instead-of-zero.patch
+random-insist-on-random_get_entropy-existing-in-order-to-simplify.patch
+random-do-not-use-batches-when-crng_ready.patch
+random-do-not-pretend-to-handle-premature-next-security-model.patch
+random-order-timer-entropy-functions-below-interrupt-functions.patch
+random-do-not-use-input-pool-from-hard-irqs.patch
+random-help-compiler-out-with-fast_mix-by-using-simpler-arguments.patch
+siphash-use-one-source-of-truth-for-siphash-permutations.patch
+random-use-symbolic-constants-for-crng_init-states.patch
+random-avoid-initializing-twice-in-credit-race.patch
+random-remove-ratelimiting-for-in-kernel-unseeded-randomness.patch
+random-use-proper-jiffies-comparison-macro.patch
+random-handle-latent-entropy-and-command-line-from-random_init.patch
+random-credit-architectural-init-the-exact-amount.patch
+random-use-static-branch-for-crng_ready.patch
+random-remove-extern-from-functions-in-header.patch
+random-use-proper-return-types-on-get_random_-int-long-_wait.patch
+random-move-initialization-functions-out-of-hot-pages.patch
+random-move-randomize_page-into-mm-where-it-belongs.patch
+random-convert-to-using-fops-write_iter.patch
+random-wire-up-fops-splice_-read-write-_iter.patch
+random-check-for-signals-after-page-of-pool-writes.patch
+revert-random-use-static-branch-for-crng_ready.patch
+crypto-drbg-add-fips-140-2-ctrng-for-noise-source.patch
+crypto-drbg-always-seeded-with-sp800-90b-compliant-noise-source.patch
+crypto-drbg-prepare-for-more-fine-grained-tracking-of-seeding-state.patch
+crypto-drbg-track-whether-drbg-was-seeded-with-rng_is_initialized.patch
+crypto-drbg-move-dynamic-reseed_threshold-adjustments-to-__drbg_seed.patch
+crypto-drbg-always-try-to-free-jitter-rng-instance.patch
+crypto-drbg-make-reseeding-from-get_random_bytes-synchronous.patch
+random-avoid-checking-crng_ready-twice-in-random_init.patch
+random-mark-bootloader-randomness-code-as-__init.patch
+random-account-for-arch-randomness-in-bits.patch
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 7 May 2022 14:03:46 +0200
+Subject: siphash: use one source of truth for siphash permutations
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit e73aaae2fa9024832e1f42e30c787c7baf61d014 upstream.
+
+The SipHash family of permutations is currently used in three places:
+
+- siphash.c itself, used in the ordinary way it was intended.
+- random32.c, in a construction from an anonymous contributor.
+- random.c, as part of its fast_mix function.
+
+Each one of these places reinvents the wheel with the same C code, same
+rotation constants, and same symmetry-breaking constants.
+
+This commit tidies things up a bit by placing macros for the
+permutations and constants into siphash.h, where each of the three .c
+users can access them. It also leaves a note dissuading more users of
+them from emerging.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/random.c | 30 +++++++-----------------------
+ include/linux/prandom.h | 23 +++++++----------------
+ include/linux/siphash.h | 28 ++++++++++++++++++++++++++++
+ lib/siphash.c | 32 ++++++++++----------------------
+ 4 files changed, 52 insertions(+), 61 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -51,6 +51,7 @@
+ #include <linux/completion.h>
+ #include <linux/uuid.h>
+ #include <linux/uaccess.h>
++#include <linux/siphash.h>
+ #include <crypto/chacha20.h>
+ #include <crypto/blake2s.h>
+ #include <asm/processor.h>
+@@ -1011,12 +1012,11 @@ struct fast_pool {
+
+ static DEFINE_PER_CPU(struct fast_pool, irq_randomness) = {
+ #ifdef CONFIG_64BIT
+- /* SipHash constants */
+- .pool = { 0x736f6d6570736575UL, 0x646f72616e646f6dUL,
+- 0x6c7967656e657261UL, 0x7465646279746573UL }
++#define FASTMIX_PERM SIPHASH_PERMUTATION
++ .pool = { SIPHASH_CONST_0, SIPHASH_CONST_1, SIPHASH_CONST_2, SIPHASH_CONST_3 }
+ #else
+- /* HalfSipHash constants */
+- .pool = { 0, 0, 0x6c796765U, 0x74656462U }
++#define FASTMIX_PERM HSIPHASH_PERMUTATION
++ .pool = { HSIPHASH_CONST_0, HSIPHASH_CONST_1, HSIPHASH_CONST_2, HSIPHASH_CONST_3 }
+ #endif
+ };
+
+@@ -1028,27 +1028,11 @@ static DEFINE_PER_CPU(struct fast_pool,
+ */
+ static void fast_mix(unsigned long s[4], unsigned long v1, unsigned long v2)
+ {
+-#ifdef CONFIG_64BIT
+-#define PERM() do { \
+- s[0] += s[1]; s[1] = rol64(s[1], 13); s[1] ^= s[0]; s[0] = rol64(s[0], 32); \
+- s[2] += s[3]; s[3] = rol64(s[3], 16); s[3] ^= s[2]; \
+- s[0] += s[3]; s[3] = rol64(s[3], 21); s[3] ^= s[0]; \
+- s[2] += s[1]; s[1] = rol64(s[1], 17); s[1] ^= s[2]; s[2] = rol64(s[2], 32); \
+-} while (0)
+-#else
+-#define PERM() do { \
+- s[0] += s[1]; s[1] = rol32(s[1], 5); s[1] ^= s[0]; s[0] = rol32(s[0], 16); \
+- s[2] += s[3]; s[3] = rol32(s[3], 8); s[3] ^= s[2]; \
+- s[0] += s[3]; s[3] = rol32(s[3], 7); s[3] ^= s[0]; \
+- s[2] += s[1]; s[1] = rol32(s[1], 13); s[1] ^= s[2]; s[2] = rol32(s[2], 16); \
+-} while (0)
+-#endif
+-
+ s[3] ^= v1;
+- PERM();
++ FASTMIX_PERM(s[0], s[1], s[2], s[3]);
+ s[0] ^= v1;
+ s[3] ^= v2;
+- PERM();
++ FASTMIX_PERM(s[0], s[1], s[2], s[3]);
+ s[0] ^= v2;
+ }
+
+--- a/include/linux/prandom.h
++++ b/include/linux/prandom.h
+@@ -10,6 +10,7 @@
+
+ #include <linux/types.h>
+ #include <linux/percpu.h>
++#include <linux/siphash.h>
+
+ u32 prandom_u32(void);
+ void prandom_bytes(void *buf, size_t nbytes);
+@@ -21,15 +22,10 @@ void prandom_reseed_late(void);
+ * The core SipHash round function. Each line can be executed in
+ * parallel given enough CPU resources.
+ */
+-#define PRND_SIPROUND(v0, v1, v2, v3) ( \
+- v0 += v1, v1 = rol64(v1, 13), v2 += v3, v3 = rol64(v3, 16), \
+- v1 ^= v0, v0 = rol64(v0, 32), v3 ^= v2, \
+- v0 += v3, v3 = rol64(v3, 21), v2 += v1, v1 = rol64(v1, 17), \
+- v3 ^= v0, v1 ^= v2, v2 = rol64(v2, 32) \
+-)
++#define PRND_SIPROUND(v0, v1, v2, v3) SIPHASH_PERMUTATION(v0, v1, v2, v3)
+
+-#define PRND_K0 (0x736f6d6570736575 ^ 0x6c7967656e657261)
+-#define PRND_K1 (0x646f72616e646f6d ^ 0x7465646279746573)
++#define PRND_K0 (SIPHASH_CONST_0 ^ SIPHASH_CONST_2)
++#define PRND_K1 (SIPHASH_CONST_1 ^ SIPHASH_CONST_3)
+
+ #elif BITS_PER_LONG == 32
+ /*
+@@ -37,14 +33,9 @@ void prandom_reseed_late(void);
+ * This is weaker, but 32-bit machines are not used for high-traffic
+ * applications, so there is less output for an attacker to analyze.
+ */
+-#define PRND_SIPROUND(v0, v1, v2, v3) ( \
+- v0 += v1, v1 = rol32(v1, 5), v2 += v3, v3 = rol32(v3, 8), \
+- v1 ^= v0, v0 = rol32(v0, 16), v3 ^= v2, \
+- v0 += v3, v3 = rol32(v3, 7), v2 += v1, v1 = rol32(v1, 13), \
+- v3 ^= v0, v1 ^= v2, v2 = rol32(v2, 16) \
+-)
+-#define PRND_K0 0x6c796765
+-#define PRND_K1 0x74656462
++#define PRND_SIPROUND(v0, v1, v2, v3) HSIPHASH_PERMUTATION(v0, v1, v2, v3)
++#define PRND_K0 (HSIPHASH_CONST_0 ^ HSIPHASH_CONST_2)
++#define PRND_K1 (HSIPHASH_CONST_1 ^ HSIPHASH_CONST_3)
+
+ #else
+ #error Unsupported BITS_PER_LONG
+--- a/include/linux/siphash.h
++++ b/include/linux/siphash.h
+@@ -136,4 +136,32 @@ static inline u32 hsiphash(const void *d
+ return ___hsiphash_aligned(data, len, key);
+ }
+
++/*
++ * These macros expose the raw SipHash and HalfSipHash permutations.
++ * Do not use them directly! If you think you have a use for them,
++ * be sure to CC the maintainer of this file explaining why.
++ */
++
++#define SIPHASH_PERMUTATION(a, b, c, d) ( \
++ (a) += (b), (b) = rol64((b), 13), (b) ^= (a), (a) = rol64((a), 32), \
++ (c) += (d), (d) = rol64((d), 16), (d) ^= (c), \
++ (a) += (d), (d) = rol64((d), 21), (d) ^= (a), \
++ (c) += (b), (b) = rol64((b), 17), (b) ^= (c), (c) = rol64((c), 32))
++
++#define SIPHASH_CONST_0 0x736f6d6570736575ULL
++#define SIPHASH_CONST_1 0x646f72616e646f6dULL
++#define SIPHASH_CONST_2 0x6c7967656e657261ULL
++#define SIPHASH_CONST_3 0x7465646279746573ULL
++
++#define HSIPHASH_PERMUTATION(a, b, c, d) ( \
++ (a) += (b), (b) = rol32((b), 5), (b) ^= (a), (a) = rol32((a), 16), \
++ (c) += (d), (d) = rol32((d), 8), (d) ^= (c), \
++ (a) += (d), (d) = rol32((d), 7), (d) ^= (a), \
++ (c) += (b), (b) = rol32((b), 13), (b) ^= (c), (c) = rol32((c), 16))
++
++#define HSIPHASH_CONST_0 0U
++#define HSIPHASH_CONST_1 0U
++#define HSIPHASH_CONST_2 0x6c796765U
++#define HSIPHASH_CONST_3 0x74656462U
++
+ #endif /* _LINUX_SIPHASH_H */
+--- a/lib/siphash.c
++++ b/lib/siphash.c
+@@ -18,19 +18,13 @@
+ #include <asm/word-at-a-time.h>
+ #endif
+
+-#define SIPROUND \
+- do { \
+- v0 += v1; v1 = rol64(v1, 13); v1 ^= v0; v0 = rol64(v0, 32); \
+- v2 += v3; v3 = rol64(v3, 16); v3 ^= v2; \
+- v0 += v3; v3 = rol64(v3, 21); v3 ^= v0; \
+- v2 += v1; v1 = rol64(v1, 17); v1 ^= v2; v2 = rol64(v2, 32); \
+- } while (0)
++#define SIPROUND SIPHASH_PERMUTATION(v0, v1, v2, v3)
+
+ #define PREAMBLE(len) \
+- u64 v0 = 0x736f6d6570736575ULL; \
+- u64 v1 = 0x646f72616e646f6dULL; \
+- u64 v2 = 0x6c7967656e657261ULL; \
+- u64 v3 = 0x7465646279746573ULL; \
++ u64 v0 = SIPHASH_CONST_0; \
++ u64 v1 = SIPHASH_CONST_1; \
++ u64 v2 = SIPHASH_CONST_2; \
++ u64 v3 = SIPHASH_CONST_3; \
+ u64 b = ((u64)(len)) << 56; \
+ v3 ^= key->key[1]; \
+ v2 ^= key->key[0]; \
+@@ -389,19 +383,13 @@ u32 hsiphash_4u32(const u32 first, const
+ }
+ EXPORT_SYMBOL(hsiphash_4u32);
+ #else
+-#define HSIPROUND \
+- do { \
+- v0 += v1; v1 = rol32(v1, 5); v1 ^= v0; v0 = rol32(v0, 16); \
+- v2 += v3; v3 = rol32(v3, 8); v3 ^= v2; \
+- v0 += v3; v3 = rol32(v3, 7); v3 ^= v0; \
+- v2 += v1; v1 = rol32(v1, 13); v1 ^= v2; v2 = rol32(v2, 16); \
+- } while (0)
++#define HSIPROUND HSIPHASH_PERMUTATION(v0, v1, v2, v3)
+
+ #define HPREAMBLE(len) \
+- u32 v0 = 0; \
+- u32 v1 = 0; \
+- u32 v2 = 0x6c796765U; \
+- u32 v3 = 0x74656462U; \
++ u32 v0 = HSIPHASH_CONST_0; \
++ u32 v1 = HSIPHASH_CONST_1; \
++ u32 v2 = HSIPHASH_CONST_2; \
++ u32 v3 = HSIPHASH_CONST_3; \
+ u32 b = ((u32)(len)) << 24; \
+ v3 ^= key->key[1]; \
+ v2 ^= key->key[0]; \
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 8 Apr 2022 18:03:13 +0200
+Subject: sparc: use fallback for random_get_entropy() instead of zero
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit ac9756c79797bb98972736b13cfb239fd2cffb79 upstream.
+
+In the event that random_get_entropy() can't access a cycle counter or
+similar, falling back to returning 0 is really not the best we can do.
+Instead, at least calling random_get_entropy_fallback() would be
+preferable, because that always needs to return _something_, even
+falling back to jiffies eventually. It's not as though
+random_get_entropy_fallback() is super high precision or guaranteed to
+be entropic, but basically anything that's not zero all the time is
+better than returning zero all the time.
+
+This is accomplished by just including the asm-generic code like on
+other architectures, which means we can get rid of the empty stub
+function here.
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/include/asm/timex_32.h | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/arch/sparc/include/asm/timex_32.h
++++ b/arch/sparc/include/asm/timex_32.h
+@@ -9,8 +9,6 @@
+
+ #define CLOCK_TICK_RATE 1193180 /* Underlying HZ */
+
+-/* XXX Maybe do something better at some point... -DaveM */
+-typedef unsigned long cycles_t;
+-#define get_cycles() (0)
++#include <asm-generic/timex.h>
+
+ #endif
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sun, 10 Apr 2022 16:49:50 +0200
+Subject: timekeeping: Add raw clock fallback for random_get_entropy()
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 1366992e16bddd5e2d9a561687f367f9f802e2e4 upstream.
+
+The addition of random_get_entropy_fallback() provides access to
+whichever time source has the highest frequency, which is useful for
+gathering entropy on platforms without available cycle counters. It's
+not necessarily as good as being able to quickly access a cycle counter
+that the CPU has, but it's still something, even when it falls back to
+being jiffies-based.
+
+In the event that a given arch does not define get_cycles(), falling
+back to the get_cycles() default implementation that returns 0 is really
+not the best we can do. Instead, at least calling
+random_get_entropy_fallback() would be preferable, because that always
+needs to return _something_, even falling back to jiffies eventually.
+It's not as though random_get_entropy_fallback() is super high precision
+or guaranteed to be entropic, but basically anything that's not zero all
+the time is better than returning zero all the time.
+
+Finally, since random_get_entropy_fallback() is used during extremely
+early boot when randomizing freelists in mm_init(), it can be called
+before timekeeping has been initialized. In that case there really is
+nothing we can do; jiffies hasn't even started ticking yet. So just give
+up and return 0.
+
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/timex.h | 8 ++++++++
+ kernel/time/timekeeping.c | 16 ++++++++++++++++
+ 2 files changed, 24 insertions(+)
+
+--- a/include/linux/timex.h
++++ b/include/linux/timex.h
+@@ -62,6 +62,8 @@
+ #include <linux/types.h>
+ #include <linux/param.h>
+
++unsigned long random_get_entropy_fallback(void);
++
+ #include <asm/timex.h>
+
+ #ifndef random_get_entropy
+@@ -74,8 +76,14 @@
+ *
+ * By default we use get_cycles() for this purpose, but individual
+ * architectures may override this in their asm/timex.h header file.
++ * If a given arch does not have get_cycles(), then we fallback to
++ * using random_get_entropy_fallback().
+ */
++#ifdef get_cycles
+ #define random_get_entropy() ((unsigned long)get_cycles())
++#else
++#define random_get_entropy() random_get_entropy_fallback()
++#endif
+ #endif
+
+ /*
+--- a/kernel/time/timekeeping.c
++++ b/kernel/time/timekeeping.c
+@@ -21,6 +21,7 @@
+ #include <linux/clocksource.h>
+ #include <linux/jiffies.h>
+ #include <linux/time.h>
++#include <linux/timex.h>
+ #include <linux/tick.h>
+ #include <linux/stop_machine.h>
+ #include <linux/pvclock_gtod.h>
+@@ -2248,6 +2249,21 @@ ktime_t ktime_get_update_offsets_now(uns
+ }
+
+ /**
++ * random_get_entropy_fallback - Returns the raw clock source value,
++ * used by random.c for platforms with no valid random_get_entropy().
++ */
++unsigned long random_get_entropy_fallback(void)
++{
++ struct tk_read_base *tkr = &tk_core.timekeeper.tkr_mono;
++ struct clocksource *clock = READ_ONCE(tkr->clock);
++
++ if (unlikely(timekeeping_suspended || !clock))
++ return 0;
++ return clock->read(clock);
++}
++EXPORT_SYMBOL_GPL(random_get_entropy_fallback);
++
++/**
+ * do_adjtimex() - Accessor function to NTP __do_adjtimex function
+ */
+ int do_adjtimex(struct timex *txc)
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 8 Apr 2022 18:03:13 +0200
+Subject: um: use fallback for random_get_entropy() instead of zero
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 9f13fb0cd11ed2327abff69f6501a2c124c88b5a upstream.
+
+In the event that random_get_entropy() can't access a cycle counter or
+similar, falling back to returning 0 is really not the best we can do.
+Instead, at least calling random_get_entropy_fallback() would be
+preferable, because that always needs to return _something_, even
+falling back to jiffies eventually. It's not as though
+random_get_entropy_fallback() is super high precision or guaranteed to
+be entropic, but basically anything that's not zero all the time is
+better than returning zero all the time.
+
+This is accomplished by just including the asm-generic code like on
+other architectures, which means we can get rid of the empty stub
+function here.
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Acked-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/um/include/asm/timex.h | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/arch/um/include/asm/timex.h
++++ b/arch/um/include/asm/timex.h
+@@ -2,13 +2,8 @@
+ #ifndef __UM_TIMEX_H
+ #define __UM_TIMEX_H
+
+-typedef unsigned long cycles_t;
+-
+-static inline cycles_t get_cycles (void)
+-{
+- return 0;
+-}
+-
+ #define CLOCK_TICK_RATE (HZ)
+
++#include <asm-generic/timex.h>
++
+ #endif
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Fri, 10 Jan 2020 14:54:13 +0000
+Subject: x86: Remove arch_has_random, arch_has_random_seed
+
+From: Richard Henderson <richard.henderson@linaro.org>
+
+commit 5f2ed7f5b99b54389b74e53309677831ac9cb9d7 upstream.
+
+Use the expansion of these macros directly in arch_get_random_*.
+
+These symbols are currently part of the generic archrandom.h
+interface, but are currently unused and can be removed.
+
+Signed-off-by: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20200110145422.49141-2-broonie@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/archrandom.h | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/include/asm/archrandom.h
++++ b/arch/x86/include/asm/archrandom.h
+@@ -86,10 +86,6 @@ static inline bool rdseed_int(unsigned i
+ return ok;
+ }
+
+-/* Conditional execution based on CPU type */
+-#define arch_has_random() static_cpu_has(X86_FEATURE_RDRAND)
+-#define arch_has_random_seed() static_cpu_has(X86_FEATURE_RDSEED)
+-
+ /*
+ * These are the generic interfaces; they must not be declared if the
+ * stubs in <linux/random.h> are to be invoked,
+@@ -99,22 +95,22 @@ static inline bool rdseed_int(unsigned i
+
+ static inline bool arch_get_random_long(unsigned long *v)
+ {
+- return arch_has_random() ? rdrand_long(v) : false;
++ return static_cpu_has(X86_FEATURE_RDRAND) ? rdrand_long(v) : false;
+ }
+
+ static inline bool arch_get_random_int(unsigned int *v)
+ {
+- return arch_has_random() ? rdrand_int(v) : false;
++ return static_cpu_has(X86_FEATURE_RDRAND) ? rdrand_int(v) : false;
+ }
+
+ static inline bool arch_get_random_seed_long(unsigned long *v)
+ {
+- return arch_has_random_seed() ? rdseed_long(v) : false;
++ return static_cpu_has(X86_FEATURE_RDSEED) ? rdseed_long(v) : false;
+ }
+
+ static inline bool arch_get_random_seed_int(unsigned int *v)
+ {
+- return arch_has_random_seed() ? rdseed_int(v) : false;
++ return static_cpu_has(X86_FEATURE_RDSEED) ? rdseed_int(v) : false;
+ }
+
+ extern void x86_init_rdrand(struct cpuinfo_x86 *c);
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 8 Apr 2022 18:03:13 +0200
+Subject: x86/tsc: Use fallback for random_get_entropy() instead of zero
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 3bd4abc07a267e6a8b33d7f8717136e18f921c53 upstream.
+
+In the event that random_get_entropy() can't access a cycle counter or
+similar, falling back to returning 0 is suboptimal. Instead, fallback
+to calling random_get_entropy_fallback(), which isn't extremely high
+precision or guaranteed to be entropic, but is certainly better than
+returning zero all the time.
+
+If CONFIG_X86_TSC=n, then it's possible for the kernel to run on systems
+without RDTSC, such as 486 and certain 586, so the fallback code is only
+required for that case.
+
+As well, fix up both the new function and the get_cycles() function from
+which it was derived to use cpu_feature_enabled() rather than
+boot_cpu_has(), and use !IS_ENABLED() instead of #ifndef.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: x86@kernel.org
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/timex.h | 9 +++++++++
+ arch/x86/include/asm/tsc.h | 7 +++----
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/include/asm/timex.h
++++ b/arch/x86/include/asm/timex.h
+@@ -5,6 +5,15 @@
+ #include <asm/processor.h>
+ #include <asm/tsc.h>
+
++static inline unsigned long random_get_entropy(void)
++{
++ if (!IS_ENABLED(CONFIG_X86_TSC) &&
++ !cpu_feature_enabled(X86_FEATURE_TSC))
++ return random_get_entropy_fallback();
++ return rdtsc();
++}
++#define random_get_entropy random_get_entropy
++
+ /* Assume we use the PIT time source for the clock tick */
+ #define CLOCK_TICK_RATE PIT_TICK_RATE
+
+--- a/arch/x86/include/asm/tsc.h
++++ b/arch/x86/include/asm/tsc.h
+@@ -22,13 +22,12 @@ extern void disable_TSC(void);
+
+ static inline cycles_t get_cycles(void)
+ {
+-#ifndef CONFIG_X86_TSC
+- if (!boot_cpu_has(X86_FEATURE_TSC))
++ if (!IS_ENABLED(CONFIG_X86_TSC) &&
++ !cpu_feature_enabled(X86_FEATURE_TSC))
+ return 0;
+-#endif
+-
+ return rdtsc();
+ }
++#define get_cycles get_cycles
+
+ extern struct system_counterval_t convert_art_to_tsc(u64 art);
+
--- /dev/null
+From foo@baz Thu Jun 16 07:08:33 PM CEST 2022
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 8 Apr 2022 18:03:13 +0200
+Subject: xtensa: use fallback for random_get_entropy() instead of zero
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit e10e2f58030c5c211d49042a8c2a1b93d40b2ffb upstream.
+
+In the event that random_get_entropy() can't access a cycle counter or
+similar, falling back to returning 0 is really not the best we can do.
+Instead, at least calling random_get_entropy_fallback() would be
+preferable, because that always needs to return _something_, even
+falling back to jiffies eventually. It's not as though
+random_get_entropy_fallback() is super high precision or guaranteed to
+be entropic, but basically anything that's not zero all the time is
+better than returning zero all the time.
+
+This is accomplished by just including the asm-generic code like on
+other architectures, which means we can get rid of the empty stub
+function here.
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/xtensa/include/asm/timex.h | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/arch/xtensa/include/asm/timex.h
++++ b/arch/xtensa/include/asm/timex.h
+@@ -30,10 +30,6 @@
+
+ extern unsigned long ccount_freq;
+
+-typedef unsigned long long cycles_t;
+-
+-#define get_cycles() (0)
+-
+ void local_timer_setup(unsigned cpu);
+
+ /*
+@@ -69,4 +65,6 @@ static inline void set_linux_timer (unsi
+ WSR_CCOMPARE(LINUX_TIMER, ccompare);
+ }
+
++#include <asm-generic/timex.h>
++
+ #endif /* _XTENSA_TIMEX_H */
projects / thirdparty / kernel / stable-queue.git / commitdiff
