Contents of /trunk/kernel-alx/patches-5.4/0299-5.4.200-all-fixes.patch
Parent Directory | Revision Log
Revision 3637 -
(show annotations)
(download)
Mon Oct 24 12:40:44 2022 UTC (23 months ago) by niro
File size: 290944 byte(s)
Mon Oct 24 12:40:44 2022 UTC (23 months ago) by niro
File size: 290944 byte(s)
-add missing
1 | diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt |
2 | index cad17c7a311e9..db9d53b879f89 100644 |
3 | --- a/Documentation/admin-guide/kernel-parameters.txt |
4 | +++ b/Documentation/admin-guide/kernel-parameters.txt |
5 | @@ -3842,6 +3842,12 @@ |
6 | fully seed the kernel's CRNG. Default is controlled |
7 | by CONFIG_RANDOM_TRUST_CPU. |
8 | |
9 | + random.trust_bootloader={on,off} |
10 | + [KNL] Enable or disable trusting the use of a |
11 | + seed passed by the bootloader (if available) to |
12 | + fully seed the kernel's CRNG. Default is controlled |
13 | + by CONFIG_RANDOM_TRUST_BOOTLOADER. |
14 | + |
15 | ras=option[,option,...] [KNL] RAS-specific options |
16 | |
17 | cec_disable [X86] |
18 | diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst |
19 | index 7b477fa19534d..9715685be6e3b 100644 |
20 | --- a/Documentation/admin-guide/sysctl/kernel.rst |
21 | +++ b/Documentation/admin-guide/sysctl/kernel.rst |
22 | @@ -862,9 +862,40 @@ The kernel command line parameter printk.devkmsg= overrides this and is |
23 | a one-time setting until next reboot: once set, it cannot be changed by |
24 | this sysctl interface anymore. |
25 | |
26 | +pty |
27 | +=== |
28 | |
29 | -randomize_va_space: |
30 | -=================== |
31 | +See Documentation/filesystems/devpts.rst. |
32 | + |
33 | + |
34 | +random |
35 | +====== |
36 | + |
37 | +This is a directory, with the following entries: |
38 | + |
39 | +* ``boot_id``: a UUID generated the first time this is retrieved, and |
40 | + unvarying after that; |
41 | + |
42 | +* ``uuid``: a UUID generated every time this is retrieved (this can |
43 | + thus be used to generate UUIDs at will); |
44 | + |
45 | +* ``entropy_avail``: the pool's entropy count, in bits; |
46 | + |
47 | +* ``poolsize``: the entropy pool size, in bits; |
48 | + |
49 | +* ``urandom_min_reseed_secs``: obsolete (used to determine the minimum |
50 | + number of seconds between urandom pool reseeding). This file is |
51 | + writable for compatibility purposes, but writing to it has no effect |
52 | + on any RNG behavior; |
53 | + |
54 | +* ``write_wakeup_threshold``: when the entropy count drops below this |
55 | + (as a number of bits), processes waiting to write to ``/dev/random`` |
56 | + are woken up. This file is writable for compatibility purposes, but |
57 | + writing to it has no effect on any RNG behavior. |
58 | + |
59 | + |
60 | +randomize_va_space |
61 | +================== |
62 | |
63 | This option can be used to select the type of process address |
64 | space randomization that is used in the system, for architectures |
65 | diff --git a/MAINTAINERS b/MAINTAINERS |
66 | index 1407008df7491..f45d6548a4aa8 100644 |
67 | --- a/MAINTAINERS |
68 | +++ b/MAINTAINERS |
69 | @@ -13640,6 +13640,7 @@ F: arch/mips/configs/generic/board-ranchu.config |
70 | |
71 | RANDOM NUMBER DRIVER |
72 | M: "Theodore Ts'o" <tytso@mit.edu> |
73 | +M: Jason A. Donenfeld <Jason@zx2c4.com> |
74 | S: Maintained |
75 | F: drivers/char/random.c |
76 | |
77 | diff --git a/Makefile b/Makefile |
78 | index a8d2f2a1c052a..32da9117e9d76 100644 |
79 | --- a/Makefile |
80 | +++ b/Makefile |
81 | @@ -1,7 +1,7 @@ |
82 | # SPDX-License-Identifier: GPL-2.0 |
83 | VERSION = 5 |
84 | PATCHLEVEL = 4 |
85 | -SUBLEVEL = 199 |
86 | +SUBLEVEL = 200 |
87 | EXTRAVERSION = |
88 | NAME = Kleptomaniac Octopus |
89 | |
90 | diff --git a/arch/alpha/include/asm/timex.h b/arch/alpha/include/asm/timex.h |
91 | index b565cc6f408e9..f89798da8a147 100644 |
92 | --- a/arch/alpha/include/asm/timex.h |
93 | +++ b/arch/alpha/include/asm/timex.h |
94 | @@ -28,5 +28,6 @@ static inline cycles_t get_cycles (void) |
95 | __asm__ __volatile__ ("rpcc %0" : "=r"(ret)); |
96 | return ret; |
97 | } |
98 | +#define get_cycles get_cycles |
99 | |
100 | #endif |
101 | diff --git a/arch/arm/include/asm/timex.h b/arch/arm/include/asm/timex.h |
102 | index 7c3b3671d6c25..6d1337c169cd3 100644 |
103 | --- a/arch/arm/include/asm/timex.h |
104 | +++ b/arch/arm/include/asm/timex.h |
105 | @@ -11,5 +11,6 @@ |
106 | |
107 | typedef unsigned long cycles_t; |
108 | #define get_cycles() ({ cycles_t c; read_current_timer(&c) ? 0 : c; }) |
109 | +#define random_get_entropy() (((unsigned long)get_cycles()) ?: random_get_entropy_fallback()) |
110 | |
111 | #endif |
112 | diff --git a/arch/arm64/include/asm/brk-imm.h b/arch/arm64/include/asm/brk-imm.h |
113 | index e3d47b52161db..ec7720dbe2c80 100644 |
114 | --- a/arch/arm64/include/asm/brk-imm.h |
115 | +++ b/arch/arm64/include/asm/brk-imm.h |
116 | @@ -10,6 +10,7 @@ |
117 | * #imm16 values used for BRK instruction generation |
118 | * 0x004: for installing kprobes |
119 | * 0x005: for installing uprobes |
120 | + * 0x006: for kprobe software single-step |
121 | * Allowed values for kgdb are 0x400 - 0x7ff |
122 | * 0x100: for triggering a fault on purpose (reserved) |
123 | * 0x400: for dynamic BRK instruction |
124 | @@ -19,6 +20,7 @@ |
125 | */ |
126 | #define KPROBES_BRK_IMM 0x004 |
127 | #define UPROBES_BRK_IMM 0x005 |
128 | +#define KPROBES_BRK_SS_IMM 0x006 |
129 | #define FAULT_BRK_IMM 0x100 |
130 | #define KGDB_DYN_DBG_BRK_IMM 0x400 |
131 | #define KGDB_COMPILED_DBG_BRK_IMM 0x401 |
132 | diff --git a/arch/arm64/include/asm/debug-monitors.h b/arch/arm64/include/asm/debug-monitors.h |
133 | index d825e3585e28d..0253691c4b3a1 100644 |
134 | --- a/arch/arm64/include/asm/debug-monitors.h |
135 | +++ b/arch/arm64/include/asm/debug-monitors.h |
136 | @@ -53,6 +53,7 @@ |
137 | |
138 | /* kprobes BRK opcodes with ESR encoding */ |
139 | #define BRK64_OPCODE_KPROBES (AARCH64_BREAK_MON | (KPROBES_BRK_IMM << 5)) |
140 | +#define BRK64_OPCODE_KPROBES_SS (AARCH64_BREAK_MON | (KPROBES_BRK_SS_IMM << 5)) |
141 | /* uprobes BRK opcodes with ESR encoding */ |
142 | #define BRK64_OPCODE_UPROBES (AARCH64_BREAK_MON | (UPROBES_BRK_IMM << 5)) |
143 | |
144 | diff --git a/arch/arm64/include/asm/kprobes.h b/arch/arm64/include/asm/kprobes.h |
145 | index 97e511d645a21..8699ce30f587e 100644 |
146 | --- a/arch/arm64/include/asm/kprobes.h |
147 | +++ b/arch/arm64/include/asm/kprobes.h |
148 | @@ -16,7 +16,7 @@ |
149 | #include <linux/percpu.h> |
150 | |
151 | #define __ARCH_WANT_KPROBES_INSN_SLOT |
152 | -#define MAX_INSN_SIZE 1 |
153 | +#define MAX_INSN_SIZE 2 |
154 | |
155 | #define flush_insn_slot(p) do { } while (0) |
156 | #define kretprobe_blacklist_size 0 |
157 | diff --git a/arch/arm64/kernel/ftrace.c b/arch/arm64/kernel/ftrace.c |
158 | index 822718eafdb44..d4a4be02d309c 100644 |
159 | --- a/arch/arm64/kernel/ftrace.c |
160 | +++ b/arch/arm64/kernel/ftrace.c |
161 | @@ -69,7 +69,7 @@ int ftrace_make_call(struct dyn_ftrace *rec, unsigned long addr) |
162 | { |
163 | unsigned long pc = rec->ip; |
164 | u32 old, new; |
165 | - long offset = (long)pc - (long)addr; |
166 | + long offset = (long)addr - (long)pc; |
167 | |
168 | if (offset < -SZ_128M || offset >= SZ_128M) { |
169 | #ifdef CONFIG_ARM64_MODULE_PLTS |
170 | @@ -126,7 +126,7 @@ int ftrace_make_nop(struct module *mod, struct dyn_ftrace *rec, |
171 | unsigned long pc = rec->ip; |
172 | bool validate = true; |
173 | u32 old = 0, new; |
174 | - long offset = (long)pc - (long)addr; |
175 | + long offset = (long)addr - (long)pc; |
176 | |
177 | if (offset < -SZ_128M || offset >= SZ_128M) { |
178 | #ifdef CONFIG_ARM64_MODULE_PLTS |
179 | diff --git a/arch/arm64/kernel/probes/kprobes.c b/arch/arm64/kernel/probes/kprobes.c |
180 | index c4452827419b0..b41ed2f907b0e 100644 |
181 | --- a/arch/arm64/kernel/probes/kprobes.c |
182 | +++ b/arch/arm64/kernel/probes/kprobes.c |
183 | @@ -36,25 +36,16 @@ DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); |
184 | static void __kprobes |
185 | post_kprobe_handler(struct kprobe_ctlblk *, struct pt_regs *); |
186 | |
187 | -static int __kprobes patch_text(kprobe_opcode_t *addr, u32 opcode) |
188 | -{ |
189 | - void *addrs[1]; |
190 | - u32 insns[1]; |
191 | - |
192 | - addrs[0] = addr; |
193 | - insns[0] = opcode; |
194 | - |
195 | - return aarch64_insn_patch_text(addrs, insns, 1); |
196 | -} |
197 | - |
198 | static void __kprobes arch_prepare_ss_slot(struct kprobe *p) |
199 | { |
200 | + kprobe_opcode_t *addr = p->ainsn.api.insn; |
201 | + void *addrs[] = {addr, addr + 1}; |
202 | + u32 insns[] = {p->opcode, BRK64_OPCODE_KPROBES_SS}; |
203 | + |
204 | /* prepare insn slot */ |
205 | - patch_text(p->ainsn.api.insn, p->opcode); |
206 | + aarch64_insn_patch_text(addrs, insns, 2); |
207 | |
208 | - flush_icache_range((uintptr_t) (p->ainsn.api.insn), |
209 | - (uintptr_t) (p->ainsn.api.insn) + |
210 | - MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); |
211 | + flush_icache_range((uintptr_t)addr, (uintptr_t)(addr + MAX_INSN_SIZE)); |
212 | |
213 | /* |
214 | * Needs restoring of return address after stepping xol. |
215 | @@ -134,13 +125,18 @@ void *alloc_insn_page(void) |
216 | /* arm kprobe: install breakpoint in text */ |
217 | void __kprobes arch_arm_kprobe(struct kprobe *p) |
218 | { |
219 | - patch_text(p->addr, BRK64_OPCODE_KPROBES); |
220 | + void *addr = p->addr; |
221 | + u32 insn = BRK64_OPCODE_KPROBES; |
222 | + |
223 | + aarch64_insn_patch_text(&addr, &insn, 1); |
224 | } |
225 | |
226 | /* disarm kprobe: remove breakpoint from text */ |
227 | void __kprobes arch_disarm_kprobe(struct kprobe *p) |
228 | { |
229 | - patch_text(p->addr, p->opcode); |
230 | + void *addr = p->addr; |
231 | + |
232 | + aarch64_insn_patch_text(&addr, &p->opcode, 1); |
233 | } |
234 | |
235 | void __kprobes arch_remove_kprobe(struct kprobe *p) |
236 | @@ -169,20 +165,15 @@ static void __kprobes set_current_kprobe(struct kprobe *p) |
237 | } |
238 | |
239 | /* |
240 | - * Interrupts need to be disabled before single-step mode is set, and not |
241 | - * reenabled until after single-step mode ends. |
242 | - * Without disabling interrupt on local CPU, there is a chance of |
243 | - * interrupt occurrence in the period of exception return and start of |
244 | - * out-of-line single-step, that result in wrongly single stepping |
245 | - * into the interrupt handler. |
246 | + * Mask all of DAIF while executing the instruction out-of-line, to keep things |
247 | + * simple and avoid nesting exceptions. Interrupts do have to be disabled since |
248 | + * the kprobe state is per-CPU and doesn't get migrated. |
249 | */ |
250 | static void __kprobes kprobes_save_local_irqflag(struct kprobe_ctlblk *kcb, |
251 | struct pt_regs *regs) |
252 | { |
253 | kcb->saved_irqflag = regs->pstate & DAIF_MASK; |
254 | - regs->pstate |= PSR_I_BIT; |
255 | - /* Unmask PSTATE.D for enabling software step exceptions. */ |
256 | - regs->pstate &= ~PSR_D_BIT; |
257 | + regs->pstate |= DAIF_MASK; |
258 | } |
259 | |
260 | static void __kprobes kprobes_restore_local_irqflag(struct kprobe_ctlblk *kcb, |
261 | @@ -225,10 +216,7 @@ static void __kprobes setup_singlestep(struct kprobe *p, |
262 | slot = (unsigned long)p->ainsn.api.insn; |
263 | |
264 | set_ss_context(kcb, slot); /* mark pending ss */ |
265 | - |
266 | - /* IRQs and single stepping do not mix well. */ |
267 | kprobes_save_local_irqflag(kcb, regs); |
268 | - kernel_enable_single_step(regs); |
269 | instruction_pointer_set(regs, slot); |
270 | } else { |
271 | /* insn simulation */ |
272 | @@ -279,12 +267,8 @@ post_kprobe_handler(struct kprobe_ctlblk *kcb, struct pt_regs *regs) |
273 | } |
274 | /* call post handler */ |
275 | kcb->kprobe_status = KPROBE_HIT_SSDONE; |
276 | - if (cur->post_handler) { |
277 | - /* post_handler can hit breakpoint and single step |
278 | - * again, so we enable D-flag for recursive exception. |
279 | - */ |
280 | + if (cur->post_handler) |
281 | cur->post_handler(cur, regs, 0); |
282 | - } |
283 | |
284 | reset_current_kprobe(); |
285 | } |
286 | @@ -308,8 +292,6 @@ int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr) |
287 | if (!instruction_pointer(regs)) |
288 | BUG(); |
289 | |
290 | - kernel_disable_single_step(); |
291 | - |
292 | if (kcb->kprobe_status == KPROBE_REENTER) |
293 | restore_previous_kprobe(kcb); |
294 | else |
295 | @@ -371,10 +353,6 @@ static void __kprobes kprobe_handler(struct pt_regs *regs) |
296 | * pre-handler and it returned non-zero, it will |
297 | * modify the execution path and no need to single |
298 | * stepping. Let's just reset current kprobe and exit. |
299 | - * |
300 | - * pre_handler can hit a breakpoint and can step thru |
301 | - * before return, keep PSTATE D-flag enabled until |
302 | - * pre_handler return back. |
303 | */ |
304 | if (!p->pre_handler || !p->pre_handler(p, regs)) { |
305 | setup_singlestep(p, regs, kcb, 0); |
306 | @@ -405,7 +383,7 @@ kprobe_ss_hit(struct kprobe_ctlblk *kcb, unsigned long addr) |
307 | } |
308 | |
309 | static int __kprobes |
310 | -kprobe_single_step_handler(struct pt_regs *regs, unsigned int esr) |
311 | +kprobe_breakpoint_ss_handler(struct pt_regs *regs, unsigned int esr) |
312 | { |
313 | struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); |
314 | int retval; |
315 | @@ -415,16 +393,15 @@ kprobe_single_step_handler(struct pt_regs *regs, unsigned int esr) |
316 | |
317 | if (retval == DBG_HOOK_HANDLED) { |
318 | kprobes_restore_local_irqflag(kcb, regs); |
319 | - kernel_disable_single_step(); |
320 | - |
321 | post_kprobe_handler(kcb, regs); |
322 | } |
323 | |
324 | return retval; |
325 | } |
326 | |
327 | -static struct step_hook kprobes_step_hook = { |
328 | - .fn = kprobe_single_step_handler, |
329 | +static struct break_hook kprobes_break_ss_hook = { |
330 | + .imm = KPROBES_BRK_SS_IMM, |
331 | + .fn = kprobe_breakpoint_ss_handler, |
332 | }; |
333 | |
334 | static int __kprobes |
335 | @@ -568,7 +545,7 @@ int __kprobes arch_trampoline_kprobe(struct kprobe *p) |
336 | int __init arch_init_kprobes(void) |
337 | { |
338 | register_kernel_break_hook(&kprobes_break_hook); |
339 | - register_kernel_step_hook(&kprobes_step_hook); |
340 | + register_kernel_break_hook(&kprobes_break_ss_hook); |
341 | |
342 | return 0; |
343 | } |
344 | diff --git a/arch/ia64/include/asm/timex.h b/arch/ia64/include/asm/timex.h |
345 | index 869a3ac6bf23a..7ccc077a60bed 100644 |
346 | --- a/arch/ia64/include/asm/timex.h |
347 | +++ b/arch/ia64/include/asm/timex.h |
348 | @@ -39,6 +39,7 @@ get_cycles (void) |
349 | ret = ia64_getreg(_IA64_REG_AR_ITC); |
350 | return ret; |
351 | } |
352 | +#define get_cycles get_cycles |
353 | |
354 | extern void ia64_cpu_local_tick (void); |
355 | extern unsigned long long ia64_native_sched_clock (void); |
356 | diff --git a/arch/m68k/include/asm/timex.h b/arch/m68k/include/asm/timex.h |
357 | index 6a21d93582805..f4a7a340f4cae 100644 |
358 | --- a/arch/m68k/include/asm/timex.h |
359 | +++ b/arch/m68k/include/asm/timex.h |
360 | @@ -35,7 +35,7 @@ static inline unsigned long random_get_entropy(void) |
361 | { |
362 | if (mach_random_get_entropy) |
363 | return mach_random_get_entropy(); |
364 | - return 0; |
365 | + return random_get_entropy_fallback(); |
366 | } |
367 | #define random_get_entropy random_get_entropy |
368 | |
369 | diff --git a/arch/mips/include/asm/timex.h b/arch/mips/include/asm/timex.h |
370 | index 8026baf46e729..2e107886f97ac 100644 |
371 | --- a/arch/mips/include/asm/timex.h |
372 | +++ b/arch/mips/include/asm/timex.h |
373 | @@ -76,25 +76,24 @@ static inline cycles_t get_cycles(void) |
374 | else |
375 | return 0; /* no usable counter */ |
376 | } |
377 | +#define get_cycles get_cycles |
378 | |
379 | /* |
380 | * Like get_cycles - but where c0_count is not available we desperately |
381 | * use c0_random in an attempt to get at least a little bit of entropy. |
382 | - * |
383 | - * R6000 and R6000A neither have a count register nor a random register. |
384 | - * That leaves no entropy source in the CPU itself. |
385 | */ |
386 | static inline unsigned long random_get_entropy(void) |
387 | { |
388 | - unsigned int prid = read_c0_prid(); |
389 | - unsigned int imp = prid & PRID_IMP_MASK; |
390 | + unsigned int c0_random; |
391 | |
392 | - if (can_use_mips_counter(prid)) |
393 | + if (can_use_mips_counter(read_c0_prid())) |
394 | return read_c0_count(); |
395 | - else if (likely(imp != PRID_IMP_R6000 && imp != PRID_IMP_R6000A)) |
396 | - return read_c0_random(); |
397 | + |
398 | + if (cpu_has_3kex) |
399 | + c0_random = (read_c0_random() >> 8) & 0x3f; |
400 | else |
401 | - return 0; /* no usable register */ |
402 | + c0_random = read_c0_random() & 0x3f; |
403 | + return (random_get_entropy_fallback() << 6) | (0x3f - c0_random); |
404 | } |
405 | #define random_get_entropy random_get_entropy |
406 | |
407 | diff --git a/arch/nios2/include/asm/timex.h b/arch/nios2/include/asm/timex.h |
408 | index a769f871b28d9..40a1adc9bd03e 100644 |
409 | --- a/arch/nios2/include/asm/timex.h |
410 | +++ b/arch/nios2/include/asm/timex.h |
411 | @@ -8,5 +8,8 @@ |
412 | typedef unsigned long cycles_t; |
413 | |
414 | extern cycles_t get_cycles(void); |
415 | +#define get_cycles get_cycles |
416 | + |
417 | +#define random_get_entropy() (((unsigned long)get_cycles()) ?: random_get_entropy_fallback()) |
418 | |
419 | #endif |
420 | diff --git a/arch/parisc/include/asm/timex.h b/arch/parisc/include/asm/timex.h |
421 | index 45537cd4d1d39..1cd2bd3eef33b 100644 |
422 | --- a/arch/parisc/include/asm/timex.h |
423 | +++ b/arch/parisc/include/asm/timex.h |
424 | @@ -12,9 +12,10 @@ |
425 | |
426 | typedef unsigned long cycles_t; |
427 | |
428 | -static inline cycles_t get_cycles (void) |
429 | +static inline cycles_t get_cycles(void) |
430 | { |
431 | return mfctl(16); |
432 | } |
433 | +#define get_cycles get_cycles |
434 | |
435 | #endif |
436 | diff --git a/arch/powerpc/include/asm/archrandom.h b/arch/powerpc/include/asm/archrandom.h |
437 | index a09595f00cabe..f0f16b4fc5ea1 100644 |
438 | --- a/arch/powerpc/include/asm/archrandom.h |
439 | +++ b/arch/powerpc/include/asm/archrandom.h |
440 | @@ -6,27 +6,28 @@ |
441 | |
442 | #include <asm/machdep.h> |
443 | |
444 | -static inline int arch_get_random_long(unsigned long *v) |
445 | +static inline bool arch_get_random_long(unsigned long *v) |
446 | { |
447 | - return 0; |
448 | + return false; |
449 | } |
450 | |
451 | -static inline int arch_get_random_int(unsigned int *v) |
452 | +static inline bool arch_get_random_int(unsigned int *v) |
453 | { |
454 | - return 0; |
455 | + return false; |
456 | } |
457 | |
458 | -static inline int arch_get_random_seed_long(unsigned long *v) |
459 | +static inline bool arch_get_random_seed_long(unsigned long *v) |
460 | { |
461 | if (ppc_md.get_random_seed) |
462 | return ppc_md.get_random_seed(v); |
463 | |
464 | - return 0; |
465 | + return false; |
466 | } |
467 | -static inline int arch_get_random_seed_int(unsigned int *v) |
468 | + |
469 | +static inline bool arch_get_random_seed_int(unsigned int *v) |
470 | { |
471 | unsigned long val; |
472 | - int rc; |
473 | + bool rc; |
474 | |
475 | rc = arch_get_random_seed_long(&val); |
476 | if (rc) |
477 | @@ -34,16 +35,6 @@ static inline int arch_get_random_seed_int(unsigned int *v) |
478 | |
479 | return rc; |
480 | } |
481 | - |
482 | -static inline int arch_has_random(void) |
483 | -{ |
484 | - return 0; |
485 | -} |
486 | - |
487 | -static inline int arch_has_random_seed(void) |
488 | -{ |
489 | - return !!ppc_md.get_random_seed; |
490 | -} |
491 | #endif /* CONFIG_ARCH_RANDOM */ |
492 | |
493 | #ifdef CONFIG_PPC_POWERNV |
494 | diff --git a/arch/powerpc/include/asm/ppc-opcode.h b/arch/powerpc/include/asm/ppc-opcode.h |
495 | index c1df75edde441..a9af63bd430f2 100644 |
496 | --- a/arch/powerpc/include/asm/ppc-opcode.h |
497 | +++ b/arch/powerpc/include/asm/ppc-opcode.h |
498 | @@ -204,6 +204,7 @@ |
499 | #define PPC_INST_ICBT 0x7c00002c |
500 | #define PPC_INST_ICSWX 0x7c00032d |
501 | #define PPC_INST_ICSWEPX 0x7c00076d |
502 | +#define PPC_INST_DSSALL 0x7e00066c |
503 | #define PPC_INST_ISEL 0x7c00001e |
504 | #define PPC_INST_ISEL_MASK 0xfc00003e |
505 | #define PPC_INST_LDARX 0x7c0000a8 |
506 | @@ -439,6 +440,7 @@ |
507 | __PPC_RA(a) | __PPC_RB(b)) |
508 | #define PPC_DCBZL(a, b) stringify_in_c(.long PPC_INST_DCBZL | \ |
509 | __PPC_RA(a) | __PPC_RB(b)) |
510 | +#define PPC_DSSALL stringify_in_c(.long PPC_INST_DSSALL) |
511 | #define PPC_LQARX(t, a, b, eh) stringify_in_c(.long PPC_INST_LQARX | \ |
512 | ___PPC_RT(t) | ___PPC_RA(a) | \ |
513 | ___PPC_RB(b) | __PPC_EH(eh)) |
514 | diff --git a/arch/powerpc/include/asm/timex.h b/arch/powerpc/include/asm/timex.h |
515 | index 6047402b0a4db..5405cb2fe65a2 100644 |
516 | --- a/arch/powerpc/include/asm/timex.h |
517 | +++ b/arch/powerpc/include/asm/timex.h |
518 | @@ -22,6 +22,7 @@ static inline cycles_t get_cycles(void) |
519 | |
520 | return mftb(); |
521 | } |
522 | +#define get_cycles get_cycles |
523 | |
524 | #endif /* __KERNEL__ */ |
525 | #endif /* _ASM_POWERPC_TIMEX_H */ |
526 | diff --git a/arch/powerpc/kernel/idle_6xx.S b/arch/powerpc/kernel/idle_6xx.S |
527 | index 0ffdd18b9f268..acb8215c5a01d 100644 |
528 | --- a/arch/powerpc/kernel/idle_6xx.S |
529 | +++ b/arch/powerpc/kernel/idle_6xx.S |
530 | @@ -129,7 +129,7 @@ BEGIN_FTR_SECTION |
531 | END_FTR_SECTION_IFCLR(CPU_FTR_NO_DPM) |
532 | mtspr SPRN_HID0,r4 |
533 | BEGIN_FTR_SECTION |
534 | - DSSALL |
535 | + PPC_DSSALL |
536 | sync |
537 | END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) |
538 | lwz r8,TI_LOCAL_FLAGS(r2) /* set napping bit */ |
539 | diff --git a/arch/powerpc/kernel/l2cr_6xx.S b/arch/powerpc/kernel/l2cr_6xx.S |
540 | index 2020d255585fa..7684f644e93e4 100644 |
541 | --- a/arch/powerpc/kernel/l2cr_6xx.S |
542 | +++ b/arch/powerpc/kernel/l2cr_6xx.S |
543 | @@ -96,7 +96,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_L2CR) |
544 | |
545 | /* Stop DST streams */ |
546 | BEGIN_FTR_SECTION |
547 | - DSSALL |
548 | + PPC_DSSALL |
549 | sync |
550 | END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) |
551 | |
552 | @@ -293,7 +293,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_L3CR) |
553 | isync |
554 | |
555 | /* Stop DST streams */ |
556 | - DSSALL |
557 | + PPC_DSSALL |
558 | sync |
559 | |
560 | /* Get the current enable bit of the L3CR into r4 */ |
561 | @@ -402,7 +402,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_L3CR) |
562 | _GLOBAL(__flush_disable_L1) |
563 | /* Stop pending alitvec streams and memory accesses */ |
564 | BEGIN_FTR_SECTION |
565 | - DSSALL |
566 | + PPC_DSSALL |
567 | END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) |
568 | sync |
569 | |
570 | diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c |
571 | index c94bba9142e7e..832663f214226 100644 |
572 | --- a/arch/powerpc/kernel/process.c |
573 | +++ b/arch/powerpc/kernel/process.c |
574 | @@ -2001,12 +2001,12 @@ static unsigned long __get_wchan(struct task_struct *p) |
575 | return 0; |
576 | |
577 | do { |
578 | - sp = *(unsigned long *)sp; |
579 | + sp = READ_ONCE_NOCHECK(*(unsigned long *)sp); |
580 | if (!validate_sp(sp, p, STACK_FRAME_OVERHEAD) || |
581 | p->state == TASK_RUNNING) |
582 | return 0; |
583 | if (count > 0) { |
584 | - ip = ((unsigned long *)sp)[STACK_FRAME_LR_SAVE]; |
585 | + ip = READ_ONCE_NOCHECK(((unsigned long *)sp)[STACK_FRAME_LR_SAVE]); |
586 | if (!in_sched_functions(ip)) |
587 | return ip; |
588 | } |
589 | diff --git a/arch/powerpc/kernel/swsusp_32.S b/arch/powerpc/kernel/swsusp_32.S |
590 | index cbdf86228eaaa..54c44aea338c4 100644 |
591 | --- a/arch/powerpc/kernel/swsusp_32.S |
592 | +++ b/arch/powerpc/kernel/swsusp_32.S |
593 | @@ -181,7 +181,7 @@ _GLOBAL(swsusp_arch_resume) |
594 | #ifdef CONFIG_ALTIVEC |
595 | /* Stop pending alitvec streams and memory accesses */ |
596 | BEGIN_FTR_SECTION |
597 | - DSSALL |
598 | + PPC_DSSALL |
599 | END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) |
600 | #endif |
601 | sync |
602 | diff --git a/arch/powerpc/kernel/swsusp_asm64.S b/arch/powerpc/kernel/swsusp_asm64.S |
603 | index 6d3189830dd32..068a268a8013e 100644 |
604 | --- a/arch/powerpc/kernel/swsusp_asm64.S |
605 | +++ b/arch/powerpc/kernel/swsusp_asm64.S |
606 | @@ -142,7 +142,7 @@ END_FW_FTR_SECTION_IFCLR(FW_FEATURE_LPAR) |
607 | _GLOBAL(swsusp_arch_resume) |
608 | /* Stop pending alitvec streams and memory accesses */ |
609 | BEGIN_FTR_SECTION |
610 | - DSSALL |
611 | + PPC_DSSALL |
612 | END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) |
613 | sync |
614 | |
615 | diff --git a/arch/powerpc/mm/mmu_context.c b/arch/powerpc/mm/mmu_context.c |
616 | index 18f20da0d3483..64290d343b557 100644 |
617 | --- a/arch/powerpc/mm/mmu_context.c |
618 | +++ b/arch/powerpc/mm/mmu_context.c |
619 | @@ -79,7 +79,7 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, |
620 | * context |
621 | */ |
622 | if (cpu_has_feature(CPU_FTR_ALTIVEC)) |
623 | - asm volatile ("dssall"); |
624 | + asm volatile (PPC_DSSALL); |
625 | |
626 | if (new_on_cpu) |
627 | radix_kvm_prefetch_workaround(next); |
628 | diff --git a/arch/powerpc/platforms/powermac/cache.S b/arch/powerpc/platforms/powermac/cache.S |
629 | index da69e0fcb4f15..9b85b030cbebb 100644 |
630 | --- a/arch/powerpc/platforms/powermac/cache.S |
631 | +++ b/arch/powerpc/platforms/powermac/cache.S |
632 | @@ -48,7 +48,7 @@ flush_disable_75x: |
633 | |
634 | /* Stop DST streams */ |
635 | BEGIN_FTR_SECTION |
636 | - DSSALL |
637 | + PPC_DSSALL |
638 | sync |
639 | END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) |
640 | |
641 | @@ -196,7 +196,7 @@ flush_disable_745x: |
642 | isync |
643 | |
644 | /* Stop prefetch streams */ |
645 | - DSSALL |
646 | + PPC_DSSALL |
647 | sync |
648 | |
649 | /* Disable L2 prefetching */ |
650 | diff --git a/arch/riscv/include/asm/asm-prototypes.h b/arch/riscv/include/asm/asm-prototypes.h |
651 | index c9fecd120d187..8ae9708a8eee8 100644 |
652 | --- a/arch/riscv/include/asm/asm-prototypes.h |
653 | +++ b/arch/riscv/include/asm/asm-prototypes.h |
654 | @@ -4,4 +4,8 @@ |
655 | #include <linux/ftrace.h> |
656 | #include <asm-generic/asm-prototypes.h> |
657 | |
658 | +long long __lshrti3(long long a, int b); |
659 | +long long __ashrti3(long long a, int b); |
660 | +long long __ashlti3(long long a, int b); |
661 | + |
662 | #endif /* _ASM_RISCV_PROTOTYPES_H */ |
663 | diff --git a/arch/riscv/include/asm/processor.h b/arch/riscv/include/asm/processor.h |
664 | index f539149d04c20..8c5b11a640dd3 100644 |
665 | --- a/arch/riscv/include/asm/processor.h |
666 | +++ b/arch/riscv/include/asm/processor.h |
667 | @@ -22,6 +22,8 @@ |
668 | |
669 | #ifndef __ASSEMBLY__ |
670 | |
671 | +#include <asm/barrier.h> |
672 | + |
673 | struct task_struct; |
674 | struct pt_regs; |
675 | |
676 | diff --git a/arch/riscv/lib/tishift.S b/arch/riscv/lib/tishift.S |
677 | index 15f9d54c7db63..ef90075c4b0a9 100644 |
678 | --- a/arch/riscv/lib/tishift.S |
679 | +++ b/arch/riscv/lib/tishift.S |
680 | @@ -4,34 +4,73 @@ |
681 | */ |
682 | |
683 | #include <linux/linkage.h> |
684 | +#include <asm-generic/export.h> |
685 | |
686 | -ENTRY(__lshrti3) |
687 | +SYM_FUNC_START(__lshrti3) |
688 | beqz a2, .L1 |
689 | li a5,64 |
690 | sub a5,a5,a2 |
691 | - addi sp,sp,-16 |
692 | sext.w a4,a5 |
693 | blez a5, .L2 |
694 | sext.w a2,a2 |
695 | - sll a4,a1,a4 |
696 | srl a0,a0,a2 |
697 | - srl a1,a1,a2 |
698 | + sll a4,a1,a4 |
699 | + srl a2,a1,a2 |
700 | or a0,a0,a4 |
701 | - sd a1,8(sp) |
702 | - sd a0,0(sp) |
703 | - ld a0,0(sp) |
704 | - ld a1,8(sp) |
705 | - addi sp,sp,16 |
706 | - ret |
707 | + mv a1,a2 |
708 | .L1: |
709 | ret |
710 | .L2: |
711 | - negw a4,a4 |
712 | - srl a1,a1,a4 |
713 | - sd a1,0(sp) |
714 | - sd zero,8(sp) |
715 | - ld a0,0(sp) |
716 | - ld a1,8(sp) |
717 | - addi sp,sp,16 |
718 | + negw a0,a4 |
719 | + li a2,0 |
720 | + srl a0,a1,a0 |
721 | + mv a1,a2 |
722 | + ret |
723 | +SYM_FUNC_END(__lshrti3) |
724 | +EXPORT_SYMBOL(__lshrti3) |
725 | + |
726 | +SYM_FUNC_START(__ashrti3) |
727 | + beqz a2, .L3 |
728 | + li a5,64 |
729 | + sub a5,a5,a2 |
730 | + sext.w a4,a5 |
731 | + blez a5, .L4 |
732 | + sext.w a2,a2 |
733 | + srl a0,a0,a2 |
734 | + sll a4,a1,a4 |
735 | + sra a2,a1,a2 |
736 | + or a0,a0,a4 |
737 | + mv a1,a2 |
738 | +.L3: |
739 | + ret |
740 | +.L4: |
741 | + negw a0,a4 |
742 | + srai a2,a1,0x3f |
743 | + sra a0,a1,a0 |
744 | + mv a1,a2 |
745 | + ret |
746 | +SYM_FUNC_END(__ashrti3) |
747 | +EXPORT_SYMBOL(__ashrti3) |
748 | + |
749 | +SYM_FUNC_START(__ashlti3) |
750 | + beqz a2, .L5 |
751 | + li a5,64 |
752 | + sub a5,a5,a2 |
753 | + sext.w a4,a5 |
754 | + blez a5, .L6 |
755 | + sext.w a2,a2 |
756 | + sll a1,a1,a2 |
757 | + srl a4,a0,a4 |
758 | + sll a2,a0,a2 |
759 | + or a1,a1,a4 |
760 | + mv a0,a2 |
761 | +.L5: |
762 | + ret |
763 | +.L6: |
764 | + negw a1,a4 |
765 | + li a2,0 |
766 | + sll a1,a0,a1 |
767 | + mv a0,a2 |
768 | ret |
769 | -ENDPROC(__lshrti3) |
770 | +SYM_FUNC_END(__ashlti3) |
771 | +EXPORT_SYMBOL(__ashlti3) |
772 | diff --git a/arch/s390/include/asm/archrandom.h b/arch/s390/include/asm/archrandom.h |
773 | index c67b82dfa558e..9a6835137a164 100644 |
774 | --- a/arch/s390/include/asm/archrandom.h |
775 | +++ b/arch/s390/include/asm/archrandom.h |
776 | @@ -21,18 +21,6 @@ extern atomic64_t s390_arch_random_counter; |
777 | |
778 | bool s390_arch_random_generate(u8 *buf, unsigned int nbytes); |
779 | |
780 | -static inline bool arch_has_random(void) |
781 | -{ |
782 | - return false; |
783 | -} |
784 | - |
785 | -static inline bool arch_has_random_seed(void) |
786 | -{ |
787 | - if (static_branch_likely(&s390_arch_random_available)) |
788 | - return true; |
789 | - return false; |
790 | -} |
791 | - |
792 | static inline bool arch_get_random_long(unsigned long *v) |
793 | { |
794 | return false; |
795 | diff --git a/arch/s390/include/asm/timex.h b/arch/s390/include/asm/timex.h |
796 | index b6a4ce9dafafb..99a7e028232d8 100644 |
797 | --- a/arch/s390/include/asm/timex.h |
798 | +++ b/arch/s390/include/asm/timex.h |
799 | @@ -177,6 +177,7 @@ static inline cycles_t get_cycles(void) |
800 | { |
801 | return (cycles_t) get_tod_clock() >> 2; |
802 | } |
803 | +#define get_cycles get_cycles |
804 | |
805 | int get_phys_clock(unsigned long *clock); |
806 | void init_cpu_timer(void); |
807 | diff --git a/arch/sparc/include/asm/timex_32.h b/arch/sparc/include/asm/timex_32.h |
808 | index 542915b462097..f86326a6f89e0 100644 |
809 | --- a/arch/sparc/include/asm/timex_32.h |
810 | +++ b/arch/sparc/include/asm/timex_32.h |
811 | @@ -9,8 +9,6 @@ |
812 | |
813 | #define CLOCK_TICK_RATE 1193180 /* Underlying HZ */ |
814 | |
815 | -/* XXX Maybe do something better at some point... -DaveM */ |
816 | -typedef unsigned long cycles_t; |
817 | -#define get_cycles() (0) |
818 | +#include <asm-generic/timex.h> |
819 | |
820 | #endif |
821 | diff --git a/arch/um/include/asm/timex.h b/arch/um/include/asm/timex.h |
822 | index e392a9a5bc9bd..9f27176adb26d 100644 |
823 | --- a/arch/um/include/asm/timex.h |
824 | +++ b/arch/um/include/asm/timex.h |
825 | @@ -2,13 +2,8 @@ |
826 | #ifndef __UM_TIMEX_H |
827 | #define __UM_TIMEX_H |
828 | |
829 | -typedef unsigned long cycles_t; |
830 | - |
831 | -static inline cycles_t get_cycles (void) |
832 | -{ |
833 | - return 0; |
834 | -} |
835 | - |
836 | #define CLOCK_TICK_RATE (HZ) |
837 | |
838 | +#include <asm-generic/timex.h> |
839 | + |
840 | #endif |
841 | diff --git a/arch/x86/include/asm/archrandom.h b/arch/x86/include/asm/archrandom.h |
842 | index af45e1452f097..feb59461046c6 100644 |
843 | --- a/arch/x86/include/asm/archrandom.h |
844 | +++ b/arch/x86/include/asm/archrandom.h |
845 | @@ -73,10 +73,6 @@ static inline bool rdseed_int(unsigned int *v) |
846 | return ok; |
847 | } |
848 | |
849 | -/* Conditional execution based on CPU type */ |
850 | -#define arch_has_random() static_cpu_has(X86_FEATURE_RDRAND) |
851 | -#define arch_has_random_seed() static_cpu_has(X86_FEATURE_RDSEED) |
852 | - |
853 | /* |
854 | * These are the generic interfaces; they must not be declared if the |
855 | * stubs in <linux/random.h> are to be invoked, |
856 | @@ -86,22 +82,22 @@ static inline bool rdseed_int(unsigned int *v) |
857 | |
858 | static inline bool arch_get_random_long(unsigned long *v) |
859 | { |
860 | - return arch_has_random() ? rdrand_long(v) : false; |
861 | + return static_cpu_has(X86_FEATURE_RDRAND) ? rdrand_long(v) : false; |
862 | } |
863 | |
864 | static inline bool arch_get_random_int(unsigned int *v) |
865 | { |
866 | - return arch_has_random() ? rdrand_int(v) : false; |
867 | + return static_cpu_has(X86_FEATURE_RDRAND) ? rdrand_int(v) : false; |
868 | } |
869 | |
870 | static inline bool arch_get_random_seed_long(unsigned long *v) |
871 | { |
872 | - return arch_has_random_seed() ? rdseed_long(v) : false; |
873 | + return static_cpu_has(X86_FEATURE_RDSEED) ? rdseed_long(v) : false; |
874 | } |
875 | |
876 | static inline bool arch_get_random_seed_int(unsigned int *v) |
877 | { |
878 | - return arch_has_random_seed() ? rdseed_int(v) : false; |
879 | + return static_cpu_has(X86_FEATURE_RDSEED) ? rdseed_int(v) : false; |
880 | } |
881 | |
882 | extern void x86_init_rdrand(struct cpuinfo_x86 *c); |
883 | diff --git a/arch/x86/include/asm/timex.h b/arch/x86/include/asm/timex.h |
884 | index a4a8b1b16c0c1..956e4145311b1 100644 |
885 | --- a/arch/x86/include/asm/timex.h |
886 | +++ b/arch/x86/include/asm/timex.h |
887 | @@ -5,6 +5,15 @@ |
888 | #include <asm/processor.h> |
889 | #include <asm/tsc.h> |
890 | |
891 | +static inline unsigned long random_get_entropy(void) |
892 | +{ |
893 | + if (!IS_ENABLED(CONFIG_X86_TSC) && |
894 | + !cpu_feature_enabled(X86_FEATURE_TSC)) |
895 | + return random_get_entropy_fallback(); |
896 | + return rdtsc(); |
897 | +} |
898 | +#define random_get_entropy random_get_entropy |
899 | + |
900 | /* Assume we use the PIT time source for the clock tick */ |
901 | #define CLOCK_TICK_RATE PIT_TICK_RATE |
902 | |
903 | diff --git a/arch/x86/include/asm/tsc.h b/arch/x86/include/asm/tsc.h |
904 | index 8a0c25c6bf099..f1ea8f0c8b129 100644 |
905 | --- a/arch/x86/include/asm/tsc.h |
906 | +++ b/arch/x86/include/asm/tsc.h |
907 | @@ -22,13 +22,12 @@ extern void disable_TSC(void); |
908 | |
909 | static inline cycles_t get_cycles(void) |
910 | { |
911 | -#ifndef CONFIG_X86_TSC |
912 | - if (!boot_cpu_has(X86_FEATURE_TSC)) |
913 | + if (!IS_ENABLED(CONFIG_X86_TSC) && |
914 | + !cpu_feature_enabled(X86_FEATURE_TSC)) |
915 | return 0; |
916 | -#endif |
917 | - |
918 | return rdtsc(); |
919 | } |
920 | +#define get_cycles get_cycles |
921 | |
922 | extern struct system_counterval_t convert_art_to_tsc(u64 art); |
923 | extern struct system_counterval_t convert_art_ns_to_tsc(u64 art_ns); |
924 | diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c |
925 | index 1c2f9baf84832..51d95c4b692c3 100644 |
926 | --- a/arch/x86/kernel/cpu/mshyperv.c |
927 | +++ b/arch/x86/kernel/cpu/mshyperv.c |
928 | @@ -82,7 +82,7 @@ __visible void __irq_entry hv_stimer0_vector_handler(struct pt_regs *regs) |
929 | inc_irq_stat(hyperv_stimer0_count); |
930 | if (hv_stimer0_handler) |
931 | hv_stimer0_handler(); |
932 | - add_interrupt_randomness(HYPERV_STIMER0_VECTOR, 0); |
933 | + add_interrupt_randomness(HYPERV_STIMER0_VECTOR); |
934 | ack_APIC_irq(); |
935 | |
936 | exiting_irq(); |
937 | diff --git a/arch/xtensa/include/asm/timex.h b/arch/xtensa/include/asm/timex.h |
938 | index 233ec75e60c69..3f2462f2d0270 100644 |
939 | --- a/arch/xtensa/include/asm/timex.h |
940 | +++ b/arch/xtensa/include/asm/timex.h |
941 | @@ -29,10 +29,6 @@ |
942 | |
943 | extern unsigned long ccount_freq; |
944 | |
945 | -typedef unsigned long long cycles_t; |
946 | - |
947 | -#define get_cycles() (0) |
948 | - |
949 | void local_timer_setup(unsigned cpu); |
950 | |
951 | /* |
952 | @@ -59,4 +55,6 @@ static inline void set_linux_timer (unsigned long ccompare) |
953 | xtensa_set_sr(ccompare, SREG_CCOMPARE + LINUX_TIMER); |
954 | } |
955 | |
956 | +#include <asm-generic/timex.h> |
957 | + |
958 | #endif /* _XTENSA_TIMEX_H */ |
959 | diff --git a/certs/blacklist_hashes.c b/certs/blacklist_hashes.c |
960 | index 344892337be07..d5961aa3d3380 100644 |
961 | --- a/certs/blacklist_hashes.c |
962 | +++ b/certs/blacklist_hashes.c |
963 | @@ -1,7 +1,7 @@ |
964 | // SPDX-License-Identifier: GPL-2.0 |
965 | #include "blacklist.h" |
966 | |
967 | -const char __initdata *const blacklist_hashes[] = { |
968 | +const char __initconst *const blacklist_hashes[] = { |
969 | #include CONFIG_SYSTEM_BLACKLIST_HASH_LIST |
970 | , NULL |
971 | }; |
972 | diff --git a/crypto/drbg.c b/crypto/drbg.c |
973 | index 04379ca624cd8..9329d9dcc210f 100644 |
974 | --- a/crypto/drbg.c |
975 | +++ b/crypto/drbg.c |
976 | @@ -1035,17 +1035,38 @@ static const struct drbg_state_ops drbg_hash_ops = { |
977 | ******************************************************************/ |
978 | |
979 | static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, |
980 | - int reseed) |
981 | + int reseed, enum drbg_seed_state new_seed_state) |
982 | { |
983 | int ret = drbg->d_ops->update(drbg, seed, reseed); |
984 | |
985 | if (ret) |
986 | return ret; |
987 | |
988 | - drbg->seeded = true; |
989 | + drbg->seeded = new_seed_state; |
990 | /* 10.1.1.2 / 10.1.1.3 step 5 */ |
991 | drbg->reseed_ctr = 1; |
992 | |
993 | + switch (drbg->seeded) { |
994 | + case DRBG_SEED_STATE_UNSEEDED: |
995 | + /* Impossible, but handle it to silence compiler warnings. */ |
996 | + fallthrough; |
997 | + case DRBG_SEED_STATE_PARTIAL: |
998 | + /* |
999 | + * Require frequent reseeds until the seed source is |
1000 | + * fully initialized. |
1001 | + */ |
1002 | + drbg->reseed_threshold = 50; |
1003 | + break; |
1004 | + |
1005 | + case DRBG_SEED_STATE_FULL: |
1006 | + /* |
1007 | + * Seed source has become fully initialized, frequent |
1008 | + * reseeds no longer required. |
1009 | + */ |
1010 | + drbg->reseed_threshold = drbg_max_requests(drbg); |
1011 | + break; |
1012 | + } |
1013 | + |
1014 | return ret; |
1015 | } |
1016 | |
1017 | @@ -1065,12 +1086,10 @@ static inline int drbg_get_random_bytes(struct drbg_state *drbg, |
1018 | return 0; |
1019 | } |
1020 | |
1021 | -static void drbg_async_seed(struct work_struct *work) |
1022 | +static int drbg_seed_from_random(struct drbg_state *drbg) |
1023 | { |
1024 | struct drbg_string data; |
1025 | LIST_HEAD(seedlist); |
1026 | - struct drbg_state *drbg = container_of(work, struct drbg_state, |
1027 | - seed_work); |
1028 | unsigned int entropylen = drbg_sec_strength(drbg->core->flags); |
1029 | unsigned char entropy[32]; |
1030 | int ret; |
1031 | @@ -1081,30 +1100,15 @@ static void drbg_async_seed(struct work_struct *work) |
1032 | drbg_string_fill(&data, entropy, entropylen); |
1033 | list_add_tail(&data.list, &seedlist); |
1034 | |
1035 | - mutex_lock(&drbg->drbg_mutex); |
1036 | - |
1037 | ret = drbg_get_random_bytes(drbg, entropy, entropylen); |
1038 | if (ret) |
1039 | - goto unlock; |
1040 | - |
1041 | - /* If nonblocking pool is initialized, deactivate Jitter RNG */ |
1042 | - crypto_free_rng(drbg->jent); |
1043 | - drbg->jent = NULL; |
1044 | - |
1045 | - /* Set seeded to false so that if __drbg_seed fails the |
1046 | - * next generate call will trigger a reseed. |
1047 | - */ |
1048 | - drbg->seeded = false; |
1049 | - |
1050 | - __drbg_seed(drbg, &seedlist, true); |
1051 | - |
1052 | - if (drbg->seeded) |
1053 | - drbg->reseed_threshold = drbg_max_requests(drbg); |
1054 | + goto out; |
1055 | |
1056 | -unlock: |
1057 | - mutex_unlock(&drbg->drbg_mutex); |
1058 | + ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL); |
1059 | |
1060 | +out: |
1061 | memzero_explicit(entropy, entropylen); |
1062 | + return ret; |
1063 | } |
1064 | |
1065 | /* |
1066 | @@ -1126,6 +1130,7 @@ static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, |
1067 | unsigned int entropylen = drbg_sec_strength(drbg->core->flags); |
1068 | struct drbg_string data1; |
1069 | LIST_HEAD(seedlist); |
1070 | + enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL; |
1071 | |
1072 | /* 9.1 / 9.2 / 9.3.1 step 3 */ |
1073 | if (pers && pers->len > (drbg_max_addtl(drbg))) { |
1074 | @@ -1153,6 +1158,9 @@ static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, |
1075 | BUG_ON((entropylen * 2) > sizeof(entropy)); |
1076 | |
1077 | /* Get seed from in-kernel /dev/urandom */ |
1078 | + if (!rng_is_initialized()) |
1079 | + new_seed_state = DRBG_SEED_STATE_PARTIAL; |
1080 | + |
1081 | ret = drbg_get_random_bytes(drbg, entropy, entropylen); |
1082 | if (ret) |
1083 | goto out; |
1084 | @@ -1168,7 +1176,23 @@ static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, |
1085 | entropylen); |
1086 | if (ret) { |
1087 | pr_devel("DRBG: jent failed with %d\n", ret); |
1088 | - goto out; |
1089 | + |
1090 | + /* |
1091 | + * Do not treat the transient failure of the |
1092 | + * Jitter RNG as an error that needs to be |
1093 | + * reported. The combined number of the |
1094 | + * maximum reseed threshold times the maximum |
1095 | + * number of Jitter RNG transient errors is |
1096 | + * less than the reseed threshold required by |
1097 | + * SP800-90A allowing us to treat the |
1098 | + * transient errors as such. |
1099 | + * |
1100 | + * However, we mandate that at least the first |
1101 | + * seeding operation must succeed with the |
1102 | + * Jitter RNG. |
1103 | + */ |
1104 | + if (!reseed || ret != -EAGAIN) |
1105 | + goto out; |
1106 | } |
1107 | |
1108 | drbg_string_fill(&data1, entropy, entropylen * 2); |
1109 | @@ -1193,7 +1217,7 @@ static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, |
1110 | memset(drbg->C, 0, drbg_statelen(drbg)); |
1111 | } |
1112 | |
1113 | - ret = __drbg_seed(drbg, &seedlist, reseed); |
1114 | + ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state); |
1115 | |
1116 | out: |
1117 | memzero_explicit(entropy, entropylen * 2); |
1118 | @@ -1373,19 +1397,25 @@ static int drbg_generate(struct drbg_state *drbg, |
1119 | * here. The spec is a bit convoluted here, we make it simpler. |
1120 | */ |
1121 | if (drbg->reseed_threshold < drbg->reseed_ctr) |
1122 | - drbg->seeded = false; |
1123 | + drbg->seeded = DRBG_SEED_STATE_UNSEEDED; |
1124 | |
1125 | - if (drbg->pr || !drbg->seeded) { |
1126 | + if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) { |
1127 | pr_devel("DRBG: reseeding before generation (prediction " |
1128 | "resistance: %s, state %s)\n", |
1129 | drbg->pr ? "true" : "false", |
1130 | - drbg->seeded ? "seeded" : "unseeded"); |
1131 | + (drbg->seeded == DRBG_SEED_STATE_FULL ? |
1132 | + "seeded" : "unseeded")); |
1133 | /* 9.3.1 steps 7.1 through 7.3 */ |
1134 | len = drbg_seed(drbg, addtl, true); |
1135 | if (len) |
1136 | goto err; |
1137 | /* 9.3.1 step 7.4 */ |
1138 | addtl = NULL; |
1139 | + } else if (rng_is_initialized() && |
1140 | + drbg->seeded == DRBG_SEED_STATE_PARTIAL) { |
1141 | + len = drbg_seed_from_random(drbg); |
1142 | + if (len) |
1143 | + goto err; |
1144 | } |
1145 | |
1146 | if (addtl && 0 < addtl->len) |
1147 | @@ -1478,51 +1508,15 @@ static int drbg_generate_long(struct drbg_state *drbg, |
1148 | return 0; |
1149 | } |
1150 | |
1151 | -static void drbg_schedule_async_seed(struct random_ready_callback *rdy) |
1152 | -{ |
1153 | - struct drbg_state *drbg = container_of(rdy, struct drbg_state, |
1154 | - random_ready); |
1155 | - |
1156 | - schedule_work(&drbg->seed_work); |
1157 | -} |
1158 | - |
1159 | static int drbg_prepare_hrng(struct drbg_state *drbg) |
1160 | { |
1161 | - int err; |
1162 | - |
1163 | /* We do not need an HRNG in test mode. */ |
1164 | if (list_empty(&drbg->test_data.list)) |
1165 | return 0; |
1166 | |
1167 | - INIT_WORK(&drbg->seed_work, drbg_async_seed); |
1168 | - |
1169 | - drbg->random_ready.owner = THIS_MODULE; |
1170 | - drbg->random_ready.func = drbg_schedule_async_seed; |
1171 | - |
1172 | - err = add_random_ready_callback(&drbg->random_ready); |
1173 | - |
1174 | - switch (err) { |
1175 | - case 0: |
1176 | - break; |
1177 | - |
1178 | - case -EALREADY: |
1179 | - err = 0; |
1180 | - /* fall through */ |
1181 | - |
1182 | - default: |
1183 | - drbg->random_ready.func = NULL; |
1184 | - return err; |
1185 | - } |
1186 | - |
1187 | drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); |
1188 | |
1189 | - /* |
1190 | - * Require frequent reseeds until the seed source is fully |
1191 | - * initialized. |
1192 | - */ |
1193 | - drbg->reseed_threshold = 50; |
1194 | - |
1195 | - return err; |
1196 | + return 0; |
1197 | } |
1198 | |
1199 | /* |
1200 | @@ -1565,7 +1559,7 @@ static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, |
1201 | if (!drbg->core) { |
1202 | drbg->core = &drbg_cores[coreref]; |
1203 | drbg->pr = pr; |
1204 | - drbg->seeded = false; |
1205 | + drbg->seeded = DRBG_SEED_STATE_UNSEEDED; |
1206 | drbg->reseed_threshold = drbg_max_requests(drbg); |
1207 | |
1208 | ret = drbg_alloc_state(drbg); |
1209 | @@ -1616,12 +1610,9 @@ free_everything: |
1210 | */ |
1211 | static int drbg_uninstantiate(struct drbg_state *drbg) |
1212 | { |
1213 | - if (drbg->random_ready.func) { |
1214 | - del_random_ready_callback(&drbg->random_ready); |
1215 | - cancel_work_sync(&drbg->seed_work); |
1216 | + if (!IS_ERR_OR_NULL(drbg->jent)) |
1217 | crypto_free_rng(drbg->jent); |
1218 | - drbg->jent = NULL; |
1219 | - } |
1220 | + drbg->jent = NULL; |
1221 | |
1222 | if (drbg->d_ops) |
1223 | drbg->d_ops->crypto_fini(drbg); |
1224 | diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c |
1225 | index af8a1bac93458..fc37e075f3e15 100644 |
1226 | --- a/drivers/ata/libata-core.c |
1227 | +++ b/drivers/ata/libata-core.c |
1228 | @@ -6235,7 +6235,7 @@ struct ata_host *ata_host_alloc_pinfo(struct device *dev, |
1229 | const struct ata_port_info * const * ppi, |
1230 | int n_ports) |
1231 | { |
1232 | - const struct ata_port_info *pi; |
1233 | + const struct ata_port_info *pi = &ata_dummy_port_info; |
1234 | struct ata_host *host; |
1235 | int i, j; |
1236 | |
1237 | @@ -6243,7 +6243,7 @@ struct ata_host *ata_host_alloc_pinfo(struct device *dev, |
1238 | if (!host) |
1239 | return NULL; |
1240 | |
1241 | - for (i = 0, j = 0, pi = NULL; i < host->n_ports; i++) { |
1242 | + for (i = 0, j = 0; i < host->n_ports; i++) { |
1243 | struct ata_port *ap = host->ports[i]; |
1244 | |
1245 | if (ppi[j]) |
1246 | diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig |
1247 | index df0fc997dc3e3..85e97550a9a60 100644 |
1248 | --- a/drivers/char/Kconfig |
1249 | +++ b/drivers/char/Kconfig |
1250 | @@ -535,28 +535,41 @@ config ADI |
1251 | and SSM (Silicon Secured Memory). Intended consumers of this |
1252 | driver include crash and makedumpfile. |
1253 | |
1254 | -endmenu |
1255 | - |
1256 | config RANDOM_TRUST_CPU |
1257 | - bool "Trust the CPU manufacturer to initialize Linux's CRNG" |
1258 | - depends on X86 || S390 || PPC |
1259 | - default n |
1260 | + bool "Initialize RNG using CPU RNG instructions" |
1261 | + default y |
1262 | + depends on ARCH_RANDOM |
1263 | help |
1264 | - Assume that CPU manufacturer (e.g., Intel or AMD for RDSEED or |
1265 | - RDRAND, IBM for the S390 and Power PC architectures) is trustworthy |
1266 | - for the purposes of initializing Linux's CRNG. Since this is not |
1267 | - something that can be independently audited, this amounts to trusting |
1268 | - that CPU manufacturer (perhaps with the insistence or mandate |
1269 | - of a Nation State's intelligence or law enforcement agencies) |
1270 | - has not installed a hidden back door to compromise the CPU's |
1271 | - random number generation facilities. This can also be configured |
1272 | - at boot with "random.trust_cpu=on/off". |
1273 | + Initialize the RNG using random numbers supplied by the CPU's |
1274 | + RNG instructions (e.g. RDRAND), if supported and available. These |
1275 | + random numbers are never used directly, but are rather hashed into |
1276 | + the main input pool, and this happens regardless of whether or not |
1277 | + this option is enabled. Instead, this option controls whether the |
1278 | + they are credited and hence can initialize the RNG. Additionally, |
1279 | + other sources of randomness are always used, regardless of this |
1280 | + setting. Enabling this implies trusting that the CPU can supply high |
1281 | + quality and non-backdoored random numbers. |
1282 | + |
1283 | + Say Y here unless you have reason to mistrust your CPU or believe |
1284 | + its RNG facilities may be faulty. This may also be configured at |
1285 | + boot time with "random.trust_cpu=on/off". |
1286 | |
1287 | config RANDOM_TRUST_BOOTLOADER |
1288 | - bool "Trust the bootloader to initialize Linux's CRNG" |
1289 | + bool "Initialize RNG using bootloader-supplied seed" |
1290 | + default y |
1291 | help |
1292 | - Some bootloaders can provide entropy to increase the kernel's initial |
1293 | - device randomness. Say Y here to assume the entropy provided by the |
1294 | - booloader is trustworthy so it will be added to the kernel's entropy |
1295 | - pool. Otherwise, say N here so it will be regarded as device input that |
1296 | - only mixes the entropy pool. |
1297 | \ No newline at end of file |
1298 | + Initialize the RNG using a seed supplied by the bootloader or boot |
1299 | + environment (e.g. EFI or a bootloader-generated device tree). This |
1300 | + seed is not used directly, but is rather hashed into the main input |
1301 | + pool, and this happens regardless of whether or not this option is |
1302 | + enabled. Instead, this option controls whether the seed is credited |
1303 | + and hence can initialize the RNG. Additionally, other sources of |
1304 | + randomness are always used, regardless of this setting. Enabling |
1305 | + this implies trusting that the bootloader can supply high quality and |
1306 | + non-backdoored seeds. |
1307 | + |
1308 | + Say Y here unless you have reason to mistrust your bootloader or |
1309 | + believe its RNG facilities may be faulty. This may also be configured |
1310 | + at boot time with "random.trust_bootloader=on/off". |
1311 | + |
1312 | +endmenu |
1313 | diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c |
1314 | index 8d53b8ef545cb..559ca503b7b6e 100644 |
1315 | --- a/drivers/char/hw_random/core.c |
1316 | +++ b/drivers/char/hw_random/core.c |
1317 | @@ -15,6 +15,7 @@ |
1318 | #include <linux/err.h> |
1319 | #include <linux/fs.h> |
1320 | #include <linux/hw_random.h> |
1321 | +#include <linux/random.h> |
1322 | #include <linux/kernel.h> |
1323 | #include <linux/kthread.h> |
1324 | #include <linux/sched/signal.h> |
1325 | diff --git a/drivers/char/random.c b/drivers/char/random.c |
1326 | index 19bfbaf135989..82f9ee4404069 100644 |
1327 | --- a/drivers/char/random.c |
1328 | +++ b/drivers/char/random.c |
1329 | @@ -1,311 +1,29 @@ |
1330 | +// SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause) |
1331 | /* |
1332 | - * random.c -- A strong random number generator |
1333 | - * |
1334 | - * Copyright (C) 2017 Jason A. Donenfeld <Jason@zx2c4.com>. All |
1335 | - * Rights Reserved. |
1336 | - * |
1337 | + * Copyright (C) 2017-2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. |
1338 | * Copyright Matt Mackall <mpm@selenic.com>, 2003, 2004, 2005 |
1339 | - * |
1340 | - * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. All |
1341 | - * rights reserved. |
1342 | - * |
1343 | - * Redistribution and use in source and binary forms, with or without |
1344 | - * modification, are permitted provided that the following conditions |
1345 | - * are met: |
1346 | - * 1. Redistributions of source code must retain the above copyright |
1347 | - * notice, and the entire permission notice in its entirety, |
1348 | - * including the disclaimer of warranties. |
1349 | - * 2. Redistributions in binary form must reproduce the above copyright |
1350 | - * notice, this list of conditions and the following disclaimer in the |
1351 | - * documentation and/or other materials provided with the distribution. |
1352 | - * 3. The name of the author may not be used to endorse or promote |
1353 | - * products derived from this software without specific prior |
1354 | - * written permission. |
1355 | - * |
1356 | - * ALTERNATIVELY, this product may be distributed under the terms of |
1357 | - * the GNU General Public License, in which case the provisions of the GPL are |
1358 | - * required INSTEAD OF the above restrictions. (This clause is |
1359 | - * necessary due to a potential bad interaction between the GPL and |
1360 | - * the restrictions contained in a BSD-style copyright.) |
1361 | - * |
1362 | - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED |
1363 | - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
1364 | - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF |
1365 | - * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE |
1366 | - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
1367 | - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT |
1368 | - * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR |
1369 | - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF |
1370 | - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
1371 | - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE |
1372 | - * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH |
1373 | - * DAMAGE. |
1374 | + * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. All rights reserved. |
1375 | + * |
1376 | + * This driver produces cryptographically secure pseudorandom data. It is divided |
1377 | + * into roughly six sections, each with a section header: |
1378 | + * |
1379 | + * - Initialization and readiness waiting. |
1380 | + * - Fast key erasure RNG, the "crng". |
1381 | + * - Entropy accumulation and extraction routines. |
1382 | + * - Entropy collection routines. |
1383 | + * - Userspace reader/writer interfaces. |
1384 | + * - Sysctl interface. |
1385 | + * |
1386 | + * The high level overview is that there is one input pool, into which |
1387 | + * various pieces of data are hashed. Prior to initialization, some of that |
1388 | + * data is then "credited" as having a certain number of bits of entropy. |
1389 | + * When enough bits of entropy are available, the hash is finalized and |
1390 | + * handed as a key to a stream cipher that expands it indefinitely for |
1391 | + * various consumers. This key is periodically refreshed as the various |
1392 | + * entropy collectors, described below, add data to the input pool. |
1393 | */ |
1394 | |
1395 | -/* |
1396 | - * (now, with legal B.S. out of the way.....) |
1397 | - * |
1398 | - * This routine gathers environmental noise from device drivers, etc., |
1399 | - * and returns good random numbers, suitable for cryptographic use. |
1400 | - * Besides the obvious cryptographic uses, these numbers are also good |
1401 | - * for seeding TCP sequence numbers, and other places where it is |
1402 | - * desirable to have numbers which are not only random, but hard to |
1403 | - * predict by an attacker. |
1404 | - * |
1405 | - * Theory of operation |
1406 | - * =================== |
1407 | - * |
1408 | - * Computers are very predictable devices. Hence it is extremely hard |
1409 | - * to produce truly random numbers on a computer --- as opposed to |
1410 | - * pseudo-random numbers, which can easily generated by using a |
1411 | - * algorithm. Unfortunately, it is very easy for attackers to guess |
1412 | - * the sequence of pseudo-random number generators, and for some |
1413 | - * applications this is not acceptable. So instead, we must try to |
1414 | - * gather "environmental noise" from the computer's environment, which |
1415 | - * must be hard for outside attackers to observe, and use that to |
1416 | - * generate random numbers. In a Unix environment, this is best done |
1417 | - * from inside the kernel. |
1418 | - * |
1419 | - * Sources of randomness from the environment include inter-keyboard |
1420 | - * timings, inter-interrupt timings from some interrupts, and other |
1421 | - * events which are both (a) non-deterministic and (b) hard for an |
1422 | - * outside observer to measure. Randomness from these sources are |
1423 | - * added to an "entropy pool", which is mixed using a CRC-like function. |
1424 | - * This is not cryptographically strong, but it is adequate assuming |
1425 | - * the randomness is not chosen maliciously, and it is fast enough that |
1426 | - * the overhead of doing it on every interrupt is very reasonable. |
1427 | - * As random bytes are mixed into the entropy pool, the routines keep |
1428 | - * an *estimate* of how many bits of randomness have been stored into |
1429 | - * the random number generator's internal state. |
1430 | - * |
1431 | - * When random bytes are desired, they are obtained by taking the SHA |
1432 | - * hash of the contents of the "entropy pool". The SHA hash avoids |
1433 | - * exposing the internal state of the entropy pool. It is believed to |
1434 | - * be computationally infeasible to derive any useful information |
1435 | - * about the input of SHA from its output. Even if it is possible to |
1436 | - * analyze SHA in some clever way, as long as the amount of data |
1437 | - * returned from the generator is less than the inherent entropy in |
1438 | - * the pool, the output data is totally unpredictable. For this |
1439 | - * reason, the routine decreases its internal estimate of how many |
1440 | - * bits of "true randomness" are contained in the entropy pool as it |
1441 | - * outputs random numbers. |
1442 | - * |
1443 | - * If this estimate goes to zero, the routine can still generate |
1444 | - * random numbers; however, an attacker may (at least in theory) be |
1445 | - * able to infer the future output of the generator from prior |
1446 | - * outputs. This requires successful cryptanalysis of SHA, which is |
1447 | - * not believed to be feasible, but there is a remote possibility. |
1448 | - * Nonetheless, these numbers should be useful for the vast majority |
1449 | - * of purposes. |
1450 | - * |
1451 | - * Exported interfaces ---- output |
1452 | - * =============================== |
1453 | - * |
1454 | - * There are four exported interfaces; two for use within the kernel, |
1455 | - * and two or use from userspace. |
1456 | - * |
1457 | - * Exported interfaces ---- userspace output |
1458 | - * ----------------------------------------- |
1459 | - * |
1460 | - * The userspace interfaces are two character devices /dev/random and |
1461 | - * /dev/urandom. /dev/random is suitable for use when very high |
1462 | - * quality randomness is desired (for example, for key generation or |
1463 | - * one-time pads), as it will only return a maximum of the number of |
1464 | - * bits of randomness (as estimated by the random number generator) |
1465 | - * contained in the entropy pool. |
1466 | - * |
1467 | - * The /dev/urandom device does not have this limit, and will return |
1468 | - * as many bytes as are requested. As more and more random bytes are |
1469 | - * requested without giving time for the entropy pool to recharge, |
1470 | - * this will result in random numbers that are merely cryptographically |
1471 | - * strong. For many applications, however, this is acceptable. |
1472 | - * |
1473 | - * Exported interfaces ---- kernel output |
1474 | - * -------------------------------------- |
1475 | - * |
1476 | - * The primary kernel interface is |
1477 | - * |
1478 | - * void get_random_bytes(void *buf, int nbytes); |
1479 | - * |
1480 | - * This interface will return the requested number of random bytes, |
1481 | - * and place it in the requested buffer. This is equivalent to a |
1482 | - * read from /dev/urandom. |
1483 | - * |
1484 | - * For less critical applications, there are the functions: |
1485 | - * |
1486 | - * u32 get_random_u32() |
1487 | - * u64 get_random_u64() |
1488 | - * unsigned int get_random_int() |
1489 | - * unsigned long get_random_long() |
1490 | - * |
1491 | - * These are produced by a cryptographic RNG seeded from get_random_bytes, |
1492 | - * and so do not deplete the entropy pool as much. These are recommended |
1493 | - * for most in-kernel operations *if the result is going to be stored in |
1494 | - * the kernel*. |
1495 | - * |
1496 | - * Specifically, the get_random_int() family do not attempt to do |
1497 | - * "anti-backtracking". If you capture the state of the kernel (e.g. |
1498 | - * by snapshotting the VM), you can figure out previous get_random_int() |
1499 | - * return values. But if the value is stored in the kernel anyway, |
1500 | - * this is not a problem. |
1501 | - * |
1502 | - * It *is* safe to expose get_random_int() output to attackers (e.g. as |
1503 | - * network cookies); given outputs 1..n, it's not feasible to predict |
1504 | - * outputs 0 or n+1. The only concern is an attacker who breaks into |
1505 | - * the kernel later; the get_random_int() engine is not reseeded as |
1506 | - * often as the get_random_bytes() one. |
1507 | - * |
1508 | - * get_random_bytes() is needed for keys that need to stay secret after |
1509 | - * they are erased from the kernel. For example, any key that will |
1510 | - * be wrapped and stored encrypted. And session encryption keys: we'd |
1511 | - * like to know that after the session is closed and the keys erased, |
1512 | - * the plaintext is unrecoverable to someone who recorded the ciphertext. |
1513 | - * |
1514 | - * But for network ports/cookies, stack canaries, PRNG seeds, address |
1515 | - * space layout randomization, session *authentication* keys, or other |
1516 | - * applications where the sensitive data is stored in the kernel in |
1517 | - * plaintext for as long as it's sensitive, the get_random_int() family |
1518 | - * is just fine. |
1519 | - * |
1520 | - * Consider ASLR. We want to keep the address space secret from an |
1521 | - * outside attacker while the process is running, but once the address |
1522 | - * space is torn down, it's of no use to an attacker any more. And it's |
1523 | - * stored in kernel data structures as long as it's alive, so worrying |
1524 | - * about an attacker's ability to extrapolate it from the get_random_int() |
1525 | - * CRNG is silly. |
1526 | - * |
1527 | - * Even some cryptographic keys are safe to generate with get_random_int(). |
1528 | - * In particular, keys for SipHash are generally fine. Here, knowledge |
1529 | - * of the key authorizes you to do something to a kernel object (inject |
1530 | - * packets to a network connection, or flood a hash table), and the |
1531 | - * key is stored with the object being protected. Once it goes away, |
1532 | - * we no longer care if anyone knows the key. |
1533 | - * |
1534 | - * prandom_u32() |
1535 | - * ------------- |
1536 | - * |
1537 | - * For even weaker applications, see the pseudorandom generator |
1538 | - * prandom_u32(), prandom_max(), and prandom_bytes(). If the random |
1539 | - * numbers aren't security-critical at all, these are *far* cheaper. |
1540 | - * Useful for self-tests, random error simulation, randomized backoffs, |
1541 | - * and any other application where you trust that nobody is trying to |
1542 | - * maliciously mess with you by guessing the "random" numbers. |
1543 | - * |
1544 | - * Exported interfaces ---- input |
1545 | - * ============================== |
1546 | - * |
1547 | - * The current exported interfaces for gathering environmental noise |
1548 | - * from the devices are: |
1549 | - * |
1550 | - * void add_device_randomness(const void *buf, unsigned int size); |
1551 | - * void add_input_randomness(unsigned int type, unsigned int code, |
1552 | - * unsigned int value); |
1553 | - * void add_interrupt_randomness(int irq, int irq_flags); |
1554 | - * void add_disk_randomness(struct gendisk *disk); |
1555 | - * |
1556 | - * add_device_randomness() is for adding data to the random pool that |
1557 | - * is likely to differ between two devices (or possibly even per boot). |
1558 | - * This would be things like MAC addresses or serial numbers, or the |
1559 | - * read-out of the RTC. This does *not* add any actual entropy to the |
1560 | - * pool, but it initializes the pool to different values for devices |
1561 | - * that might otherwise be identical and have very little entropy |
1562 | - * available to them (particularly common in the embedded world). |
1563 | - * |
1564 | - * add_input_randomness() uses the input layer interrupt timing, as well as |
1565 | - * the event type information from the hardware. |
1566 | - * |
1567 | - * add_interrupt_randomness() uses the interrupt timing as random |
1568 | - * inputs to the entropy pool. Using the cycle counters and the irq source |
1569 | - * as inputs, it feeds the randomness roughly once a second. |
1570 | - * |
1571 | - * add_disk_randomness() uses what amounts to the seek time of block |
1572 | - * layer request events, on a per-disk_devt basis, as input to the |
1573 | - * entropy pool. Note that high-speed solid state drives with very low |
1574 | - * seek times do not make for good sources of entropy, as their seek |
1575 | - * times are usually fairly consistent. |
1576 | - * |
1577 | - * All of these routines try to estimate how many bits of randomness a |
1578 | - * particular randomness source. They do this by keeping track of the |
1579 | - * first and second order deltas of the event timings. |
1580 | - * |
1581 | - * Ensuring unpredictability at system startup |
1582 | - * ============================================ |
1583 | - * |
1584 | - * When any operating system starts up, it will go through a sequence |
1585 | - * of actions that are fairly predictable by an adversary, especially |
1586 | - * if the start-up does not involve interaction with a human operator. |
1587 | - * This reduces the actual number of bits of unpredictability in the |
1588 | - * entropy pool below the value in entropy_count. In order to |
1589 | - * counteract this effect, it helps to carry information in the |
1590 | - * entropy pool across shut-downs and start-ups. To do this, put the |
1591 | - * following lines an appropriate script which is run during the boot |
1592 | - * sequence: |
1593 | - * |
1594 | - * echo "Initializing random number generator..." |
1595 | - * random_seed=/var/run/random-seed |
1596 | - * # Carry a random seed from start-up to start-up |
1597 | - * # Load and then save the whole entropy pool |
1598 | - * if [ -f $random_seed ]; then |
1599 | - * cat $random_seed >/dev/urandom |
1600 | - * else |
1601 | - * touch $random_seed |
1602 | - * fi |
1603 | - * chmod 600 $random_seed |
1604 | - * dd if=/dev/urandom of=$random_seed count=1 bs=512 |
1605 | - * |
1606 | - * and the following lines in an appropriate script which is run as |
1607 | - * the system is shutdown: |
1608 | - * |
1609 | - * # Carry a random seed from shut-down to start-up |
1610 | - * # Save the whole entropy pool |
1611 | - * echo "Saving random seed..." |
1612 | - * random_seed=/var/run/random-seed |
1613 | - * touch $random_seed |
1614 | - * chmod 600 $random_seed |
1615 | - * dd if=/dev/urandom of=$random_seed count=1 bs=512 |
1616 | - * |
1617 | - * For example, on most modern systems using the System V init |
1618 | - * scripts, such code fragments would be found in |
1619 | - * /etc/rc.d/init.d/random. On older Linux systems, the correct script |
1620 | - * location might be in /etc/rcb.d/rc.local or /etc/rc.d/rc.0. |
1621 | - * |
1622 | - * Effectively, these commands cause the contents of the entropy pool |
1623 | - * to be saved at shut-down time and reloaded into the entropy pool at |
1624 | - * start-up. (The 'dd' in the addition to the bootup script is to |
1625 | - * make sure that /etc/random-seed is different for every start-up, |
1626 | - * even if the system crashes without executing rc.0.) Even with |
1627 | - * complete knowledge of the start-up activities, predicting the state |
1628 | - * of the entropy pool requires knowledge of the previous history of |
1629 | - * the system. |
1630 | - * |
1631 | - * Configuring the /dev/random driver under Linux |
1632 | - * ============================================== |
1633 | - * |
1634 | - * The /dev/random driver under Linux uses minor numbers 8 and 9 of |
1635 | - * the /dev/mem major number (#1). So if your system does not have |
1636 | - * /dev/random and /dev/urandom created already, they can be created |
1637 | - * by using the commands: |
1638 | - * |
1639 | - * mknod /dev/random c 1 8 |
1640 | - * mknod /dev/urandom c 1 9 |
1641 | - * |
1642 | - * Acknowledgements: |
1643 | - * ================= |
1644 | - * |
1645 | - * Ideas for constructing this random number generator were derived |
1646 | - * from Pretty Good Privacy's random number generator, and from private |
1647 | - * discussions with Phil Karn. Colin Plumb provided a faster random |
1648 | - * number generator, which speed up the mixing function of the entropy |
1649 | - * pool, taken from PGPfone. Dale Worley has also contributed many |
1650 | - * useful ideas and suggestions to improve this driver. |
1651 | - * |
1652 | - * Any flaws in the design are solely my responsibility, and should |
1653 | - * not be attributed to the Phil, Colin, or any of authors of PGP. |
1654 | - * |
1655 | - * Further background information on this topic may be obtained from |
1656 | - * RFC 1750, "Randomness Recommendations for Security", by Donald |
1657 | - * Eastlake, Steve Crocker, and Jeff Schiller. |
1658 | - */ |
1659 | +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
1660 | |
1661 | #include <linux/utsname.h> |
1662 | #include <linux/module.h> |
1663 | @@ -325,8 +43,6 @@ |
1664 | #include <linux/spinlock.h> |
1665 | #include <linux/kthread.h> |
1666 | #include <linux/percpu.h> |
1667 | -#include <linux/cryptohash.h> |
1668 | -#include <linux/fips.h> |
1669 | #include <linux/ptrace.h> |
1670 | #include <linux/workqueue.h> |
1671 | #include <linux/irq.h> |
1672 | @@ -334,1663 +50,1067 @@ |
1673 | #include <linux/syscalls.h> |
1674 | #include <linux/completion.h> |
1675 | #include <linux/uuid.h> |
1676 | +#include <linux/uaccess.h> |
1677 | +#include <linux/siphash.h> |
1678 | +#include <linux/uio.h> |
1679 | #include <crypto/chacha.h> |
1680 | - |
1681 | +#include <crypto/blake2s.h> |
1682 | #include <asm/processor.h> |
1683 | -#include <linux/uaccess.h> |
1684 | #include <asm/irq.h> |
1685 | #include <asm/irq_regs.h> |
1686 | #include <asm/io.h> |
1687 | |
1688 | -#define CREATE_TRACE_POINTS |
1689 | -#include <trace/events/random.h> |
1690 | - |
1691 | -/* #define ADD_INTERRUPT_BENCH */ |
1692 | +/********************************************************************* |
1693 | + * |
1694 | + * Initialization and readiness waiting. |
1695 | + * |
1696 | + * Much of the RNG infrastructure is devoted to various dependencies |
1697 | + * being able to wait until the RNG has collected enough entropy and |
1698 | + * is ready for safe consumption. |
1699 | + * |
1700 | + *********************************************************************/ |
1701 | |
1702 | /* |
1703 | - * Configuration information |
1704 | + * crng_init is protected by base_crng->lock, and only increases |
1705 | + * its value (from empty->early->ready). |
1706 | */ |
1707 | -#define INPUT_POOL_SHIFT 12 |
1708 | -#define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5)) |
1709 | -#define OUTPUT_POOL_SHIFT 10 |
1710 | -#define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5)) |
1711 | -#define SEC_XFER_SIZE 512 |
1712 | -#define EXTRACT_SIZE 10 |
1713 | - |
1714 | +static enum { |
1715 | + CRNG_EMPTY = 0, /* Little to no entropy collected */ |
1716 | + CRNG_EARLY = 1, /* At least POOL_EARLY_BITS collected */ |
1717 | + CRNG_READY = 2 /* Fully initialized with POOL_READY_BITS collected */ |
1718 | +} crng_init __read_mostly = CRNG_EMPTY; |
1719 | +#define crng_ready() (likely(crng_init >= CRNG_READY)) |
1720 | +/* Various types of waiters for crng_init->CRNG_READY transition. */ |
1721 | +static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait); |
1722 | +static struct fasync_struct *fasync; |
1723 | +static DEFINE_SPINLOCK(random_ready_chain_lock); |
1724 | +static RAW_NOTIFIER_HEAD(random_ready_chain); |
1725 | |
1726 | -#define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long)) |
1727 | +/* Control how we warn userspace. */ |
1728 | +static struct ratelimit_state urandom_warning = |
1729 | + RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3); |
1730 | +static int ratelimit_disable __read_mostly = |
1731 | + IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM); |
1732 | +module_param_named(ratelimit_disable, ratelimit_disable, int, 0644); |
1733 | +MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression"); |
1734 | |
1735 | /* |
1736 | - * To allow fractional bits to be tracked, the entropy_count field is |
1737 | - * denominated in units of 1/8th bits. |
1738 | + * Returns whether or not the input pool has been seeded and thus guaranteed |
1739 | + * to supply cryptographically secure random numbers. This applies to: the |
1740 | + * /dev/urandom device, the get_random_bytes function, and the get_random_{u32, |
1741 | + * ,u64,int,long} family of functions. |
1742 | * |
1743 | - * 2*(ENTROPY_SHIFT + poolbitshift) must <= 31, or the multiply in |
1744 | - * credit_entropy_bits() needs to be 64 bits wide. |
1745 | + * Returns: true if the input pool has been seeded. |
1746 | + * false if the input pool has not been seeded. |
1747 | */ |
1748 | -#define ENTROPY_SHIFT 3 |
1749 | -#define ENTROPY_BITS(r) ((r)->entropy_count >> ENTROPY_SHIFT) |
1750 | +bool rng_is_initialized(void) |
1751 | +{ |
1752 | + return crng_ready(); |
1753 | +} |
1754 | +EXPORT_SYMBOL(rng_is_initialized); |
1755 | |
1756 | -/* |
1757 | - * The minimum number of bits of entropy before we wake up a read on |
1758 | - * /dev/random. Should be enough to do a significant reseed. |
1759 | - */ |
1760 | -static int random_read_wakeup_bits = 64; |
1761 | +/* Used by wait_for_random_bytes(), and considered an entropy collector, below. */ |
1762 | +static void try_to_generate_entropy(void); |
1763 | |
1764 | /* |
1765 | - * If the entropy count falls under this number of bits, then we |
1766 | - * should wake up processes which are selecting or polling on write |
1767 | - * access to /dev/random. |
1768 | + * Wait for the input pool to be seeded and thus guaranteed to supply |
1769 | + * cryptographically secure random numbers. This applies to: the /dev/urandom |
1770 | + * device, the get_random_bytes function, and the get_random_{u32,u64,int,long} |
1771 | + * family of functions. Using any of these functions without first calling |
1772 | + * this function forfeits the guarantee of security. |
1773 | + * |
1774 | + * Returns: 0 if the input pool has been seeded. |
1775 | + * -ERESTARTSYS if the function was interrupted by a signal. |
1776 | */ |
1777 | -static int random_write_wakeup_bits = 28 * OUTPUT_POOL_WORDS; |
1778 | +int wait_for_random_bytes(void) |
1779 | +{ |
1780 | + while (!crng_ready()) { |
1781 | + int ret; |
1782 | + |
1783 | + try_to_generate_entropy(); |
1784 | + ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ); |
1785 | + if (ret) |
1786 | + return ret > 0 ? 0 : ret; |
1787 | + } |
1788 | + return 0; |
1789 | +} |
1790 | +EXPORT_SYMBOL(wait_for_random_bytes); |
1791 | |
1792 | /* |
1793 | - * Originally, we used a primitive polynomial of degree .poolwords |
1794 | - * over GF(2). The taps for various sizes are defined below. They |
1795 | - * were chosen to be evenly spaced except for the last tap, which is 1 |
1796 | - * to get the twisting happening as fast as possible. |
1797 | - * |
1798 | - * For the purposes of better mixing, we use the CRC-32 polynomial as |
1799 | - * well to make a (modified) twisted Generalized Feedback Shift |
1800 | - * Register. (See M. Matsumoto & Y. Kurita, 1992. Twisted GFSR |
1801 | - * generators. ACM Transactions on Modeling and Computer Simulation |
1802 | - * 2(3):179-194. Also see M. Matsumoto & Y. Kurita, 1994. Twisted |
1803 | - * GFSR generators II. ACM Transactions on Modeling and Computer |
1804 | - * Simulation 4:254-266) |
1805 | - * |
1806 | - * Thanks to Colin Plumb for suggesting this. |
1807 | - * |
1808 | - * The mixing operation is much less sensitive than the output hash, |
1809 | - * where we use SHA-1. All that we want of mixing operation is that |
1810 | - * it be a good non-cryptographic hash; i.e. it not produce collisions |
1811 | - * when fed "random" data of the sort we expect to see. As long as |
1812 | - * the pool state differs for different inputs, we have preserved the |
1813 | - * input entropy and done a good job. The fact that an intelligent |
1814 | - * attacker can construct inputs that will produce controlled |
1815 | - * alterations to the pool's state is not important because we don't |
1816 | - * consider such inputs to contribute any randomness. The only |
1817 | - * property we need with respect to them is that the attacker can't |
1818 | - * increase his/her knowledge of the pool's state. Since all |
1819 | - * additions are reversible (knowing the final state and the input, |
1820 | - * you can reconstruct the initial state), if an attacker has any |
1821 | - * uncertainty about the initial state, he/she can only shuffle that |
1822 | - * uncertainty about, but never cause any collisions (which would |
1823 | - * decrease the uncertainty). |
1824 | + * Add a callback function that will be invoked when the input |
1825 | + * pool is initialised. |
1826 | * |
1827 | - * Our mixing functions were analyzed by Lacharme, Roeck, Strubel, and |
1828 | - * Videau in their paper, "The Linux Pseudorandom Number Generator |
1829 | - * Revisited" (see: http://eprint.iacr.org/2012/251.pdf). In their |
1830 | - * paper, they point out that we are not using a true Twisted GFSR, |
1831 | - * since Matsumoto & Kurita used a trinomial feedback polynomial (that |
1832 | - * is, with only three taps, instead of the six that we are using). |
1833 | - * As a result, the resulting polynomial is neither primitive nor |
1834 | - * irreducible, and hence does not have a maximal period over |
1835 | - * GF(2**32). They suggest a slight change to the generator |
1836 | - * polynomial which improves the resulting TGFSR polynomial to be |
1837 | - * irreducible, which we have made here. |
1838 | + * returns: 0 if callback is successfully added |
1839 | + * -EALREADY if pool is already initialised (callback not called) |
1840 | */ |
1841 | -static const struct poolinfo { |
1842 | - int poolbitshift, poolwords, poolbytes, poolfracbits; |
1843 | -#define S(x) ilog2(x)+5, (x), (x)*4, (x) << (ENTROPY_SHIFT+5) |
1844 | - int tap1, tap2, tap3, tap4, tap5; |
1845 | -} poolinfo_table[] = { |
1846 | - /* was: x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 */ |
1847 | - /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */ |
1848 | - { S(128), 104, 76, 51, 25, 1 }, |
1849 | - /* was: x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 */ |
1850 | - /* x^32 + x^26 + x^19 + x^14 + x^7 + x + 1 */ |
1851 | - { S(32), 26, 19, 14, 7, 1 }, |
1852 | -#if 0 |
1853 | - /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */ |
1854 | - { S(2048), 1638, 1231, 819, 411, 1 }, |
1855 | - |
1856 | - /* x^1024 + x^817 + x^615 + x^412 + x^204 + x + 1 -- 290 */ |
1857 | - { S(1024), 817, 615, 412, 204, 1 }, |
1858 | - |
1859 | - /* x^1024 + x^819 + x^616 + x^410 + x^207 + x^2 + 1 -- 115 */ |
1860 | - { S(1024), 819, 616, 410, 207, 2 }, |
1861 | - |
1862 | - /* x^512 + x^411 + x^308 + x^208 + x^104 + x + 1 -- 225 */ |
1863 | - { S(512), 411, 308, 208, 104, 1 }, |
1864 | - |
1865 | - /* x^512 + x^409 + x^307 + x^206 + x^102 + x^2 + 1 -- 95 */ |
1866 | - { S(512), 409, 307, 206, 102, 2 }, |
1867 | - /* x^512 + x^409 + x^309 + x^205 + x^103 + x^2 + 1 -- 95 */ |
1868 | - { S(512), 409, 309, 205, 103, 2 }, |
1869 | - |
1870 | - /* x^256 + x^205 + x^155 + x^101 + x^52 + x + 1 -- 125 */ |
1871 | - { S(256), 205, 155, 101, 52, 1 }, |
1872 | - |
1873 | - /* x^128 + x^103 + x^78 + x^51 + x^27 + x^2 + 1 -- 70 */ |
1874 | - { S(128), 103, 78, 51, 27, 2 }, |
1875 | - |
1876 | - /* x^64 + x^52 + x^39 + x^26 + x^14 + x + 1 -- 15 */ |
1877 | - { S(64), 52, 39, 26, 14, 1 }, |
1878 | -#endif |
1879 | -}; |
1880 | +int __cold register_random_ready_notifier(struct notifier_block *nb) |
1881 | +{ |
1882 | + unsigned long flags; |
1883 | + int ret = -EALREADY; |
1884 | + |
1885 | + if (crng_ready()) |
1886 | + return ret; |
1887 | + |
1888 | + spin_lock_irqsave(&random_ready_chain_lock, flags); |
1889 | + if (!crng_ready()) |
1890 | + ret = raw_notifier_chain_register(&random_ready_chain, nb); |
1891 | + spin_unlock_irqrestore(&random_ready_chain_lock, flags); |
1892 | + return ret; |
1893 | +} |
1894 | |
1895 | /* |
1896 | - * Static global variables |
1897 | + * Delete a previously registered readiness callback function. |
1898 | */ |
1899 | -static DECLARE_WAIT_QUEUE_HEAD(random_read_wait); |
1900 | -static DECLARE_WAIT_QUEUE_HEAD(random_write_wait); |
1901 | -static struct fasync_struct *fasync; |
1902 | - |
1903 | -static DEFINE_SPINLOCK(random_ready_list_lock); |
1904 | -static LIST_HEAD(random_ready_list); |
1905 | +int __cold unregister_random_ready_notifier(struct notifier_block *nb) |
1906 | +{ |
1907 | + unsigned long flags; |
1908 | + int ret; |
1909 | |
1910 | -struct crng_state { |
1911 | - __u32 state[16]; |
1912 | - unsigned long init_time; |
1913 | - spinlock_t lock; |
1914 | -}; |
1915 | + spin_lock_irqsave(&random_ready_chain_lock, flags); |
1916 | + ret = raw_notifier_chain_unregister(&random_ready_chain, nb); |
1917 | + spin_unlock_irqrestore(&random_ready_chain_lock, flags); |
1918 | + return ret; |
1919 | +} |
1920 | |
1921 | -static struct crng_state primary_crng = { |
1922 | - .lock = __SPIN_LOCK_UNLOCKED(primary_crng.lock), |
1923 | -}; |
1924 | +static void __cold process_random_ready_list(void) |
1925 | +{ |
1926 | + unsigned long flags; |
1927 | |
1928 | -/* |
1929 | - * crng_init = 0 --> Uninitialized |
1930 | - * 1 --> Initialized |
1931 | - * 2 --> Initialized from input_pool |
1932 | - * |
1933 | - * crng_init is protected by primary_crng->lock, and only increases |
1934 | - * its value (from 0->1->2). |
1935 | - */ |
1936 | -static int crng_init = 0; |
1937 | -static bool crng_need_final_init = false; |
1938 | -#define crng_ready() (likely(crng_init > 1)) |
1939 | -static int crng_init_cnt = 0; |
1940 | -static unsigned long crng_global_init_time = 0; |
1941 | -#define CRNG_INIT_CNT_THRESH (2*CHACHA_KEY_SIZE) |
1942 | -static void _extract_crng(struct crng_state *crng, __u8 out[CHACHA_BLOCK_SIZE]); |
1943 | -static void _crng_backtrack_protect(struct crng_state *crng, |
1944 | - __u8 tmp[CHACHA_BLOCK_SIZE], int used); |
1945 | -static void process_random_ready_list(void); |
1946 | -static void _get_random_bytes(void *buf, int nbytes); |
1947 | - |
1948 | -static struct ratelimit_state unseeded_warning = |
1949 | - RATELIMIT_STATE_INIT("warn_unseeded_randomness", HZ, 3); |
1950 | -static struct ratelimit_state urandom_warning = |
1951 | - RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3); |
1952 | + spin_lock_irqsave(&random_ready_chain_lock, flags); |
1953 | + raw_notifier_call_chain(&random_ready_chain, 0, NULL); |
1954 | + spin_unlock_irqrestore(&random_ready_chain_lock, flags); |
1955 | +} |
1956 | |
1957 | -static int ratelimit_disable __read_mostly; |
1958 | +#define warn_unseeded_randomness() \ |
1959 | + if (IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM) && !crng_ready()) \ |
1960 | + printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n", \ |
1961 | + __func__, (void *)_RET_IP_, crng_init) |
1962 | |
1963 | -module_param_named(ratelimit_disable, ratelimit_disable, int, 0644); |
1964 | -MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression"); |
1965 | |
1966 | -/********************************************************************** |
1967 | +/********************************************************************* |
1968 | * |
1969 | - * OS independent entropy store. Here are the functions which handle |
1970 | - * storing entropy in an entropy pool. |
1971 | + * Fast key erasure RNG, the "crng". |
1972 | * |
1973 | - **********************************************************************/ |
1974 | + * These functions expand entropy from the entropy extractor into |
1975 | + * long streams for external consumption using the "fast key erasure" |
1976 | + * RNG described at <https://blog.cr.yp.to/20170723-random.html>. |
1977 | + * |
1978 | + * There are a few exported interfaces for use by other drivers: |
1979 | + * |
1980 | + * void get_random_bytes(void *buf, size_t len) |
1981 | + * u32 get_random_u32() |
1982 | + * u64 get_random_u64() |
1983 | + * unsigned int get_random_int() |
1984 | + * unsigned long get_random_long() |
1985 | + * |
1986 | + * These interfaces will return the requested number of random bytes |
1987 | + * into the given buffer or as a return value. This is equivalent to |
1988 | + * a read from /dev/urandom. The u32, u64, int, and long family of |
1989 | + * functions may be higher performance for one-off random integers, |
1990 | + * because they do a bit of buffering and do not invoke reseeding |
1991 | + * until the buffer is emptied. |
1992 | + * |
1993 | + *********************************************************************/ |
1994 | |
1995 | -struct entropy_store; |
1996 | -struct entropy_store { |
1997 | - /* read-only data: */ |
1998 | - const struct poolinfo *poolinfo; |
1999 | - __u32 *pool; |
2000 | - const char *name; |
2001 | - struct entropy_store *pull; |
2002 | - struct work_struct push_work; |
2003 | - |
2004 | - /* read-write data: */ |
2005 | - unsigned long last_pulled; |
2006 | - spinlock_t lock; |
2007 | - unsigned short add_ptr; |
2008 | - unsigned short input_rotate; |
2009 | - int entropy_count; |
2010 | - unsigned int initialized:1; |
2011 | - unsigned int last_data_init:1; |
2012 | - __u8 last_data[EXTRACT_SIZE]; |
2013 | +enum { |
2014 | + CRNG_RESEED_START_INTERVAL = HZ, |
2015 | + CRNG_RESEED_INTERVAL = 60 * HZ |
2016 | }; |
2017 | |
2018 | -static ssize_t extract_entropy(struct entropy_store *r, void *buf, |
2019 | - size_t nbytes, int min, int rsvd); |
2020 | -static ssize_t _extract_entropy(struct entropy_store *r, void *buf, |
2021 | - size_t nbytes, int fips); |
2022 | - |
2023 | -static void crng_reseed(struct crng_state *crng, struct entropy_store *r); |
2024 | -static void push_to_pool(struct work_struct *work); |
2025 | -static __u32 input_pool_data[INPUT_POOL_WORDS] __latent_entropy; |
2026 | -static __u32 blocking_pool_data[OUTPUT_POOL_WORDS] __latent_entropy; |
2027 | +static struct { |
2028 | + u8 key[CHACHA_KEY_SIZE] __aligned(__alignof__(long)); |
2029 | + unsigned long birth; |
2030 | + unsigned long generation; |
2031 | + spinlock_t lock; |
2032 | +} base_crng = { |
2033 | + .lock = __SPIN_LOCK_UNLOCKED(base_crng.lock) |
2034 | +}; |
2035 | |
2036 | -static struct entropy_store input_pool = { |
2037 | - .poolinfo = &poolinfo_table[0], |
2038 | - .name = "input", |
2039 | - .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock), |
2040 | - .pool = input_pool_data |
2041 | +struct crng { |
2042 | + u8 key[CHACHA_KEY_SIZE]; |
2043 | + unsigned long generation; |
2044 | }; |
2045 | |
2046 | -static struct entropy_store blocking_pool = { |
2047 | - .poolinfo = &poolinfo_table[1], |
2048 | - .name = "blocking", |
2049 | - .pull = &input_pool, |
2050 | - .lock = __SPIN_LOCK_UNLOCKED(blocking_pool.lock), |
2051 | - .pool = blocking_pool_data, |
2052 | - .push_work = __WORK_INITIALIZER(blocking_pool.push_work, |
2053 | - push_to_pool), |
2054 | +static DEFINE_PER_CPU(struct crng, crngs) = { |
2055 | + .generation = ULONG_MAX |
2056 | }; |
2057 | |
2058 | -static __u32 const twist_table[8] = { |
2059 | - 0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158, |
2060 | - 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 }; |
2061 | +/* Used by crng_reseed() and crng_make_state() to extract a new seed from the input pool. */ |
2062 | +static void extract_entropy(void *buf, size_t len); |
2063 | |
2064 | -/* |
2065 | - * This function adds bytes into the entropy "pool". It does not |
2066 | - * update the entropy estimate. The caller should call |
2067 | - * credit_entropy_bits if this is appropriate. |
2068 | - * |
2069 | - * The pool is stirred with a primitive polynomial of the appropriate |
2070 | - * degree, and then twisted. We twist by three bits at a time because |
2071 | - * it's cheap to do so and helps slightly in the expected case where |
2072 | - * the entropy is concentrated in the low-order bits. |
2073 | - */ |
2074 | -static void _mix_pool_bytes(struct entropy_store *r, const void *in, |
2075 | - int nbytes) |
2076 | +/* This extracts a new crng key from the input pool. */ |
2077 | +static void crng_reseed(void) |
2078 | { |
2079 | - unsigned long i, tap1, tap2, tap3, tap4, tap5; |
2080 | - int input_rotate; |
2081 | - int wordmask = r->poolinfo->poolwords - 1; |
2082 | - const char *bytes = in; |
2083 | - __u32 w; |
2084 | - |
2085 | - tap1 = r->poolinfo->tap1; |
2086 | - tap2 = r->poolinfo->tap2; |
2087 | - tap3 = r->poolinfo->tap3; |
2088 | - tap4 = r->poolinfo->tap4; |
2089 | - tap5 = r->poolinfo->tap5; |
2090 | - |
2091 | - input_rotate = r->input_rotate; |
2092 | - i = r->add_ptr; |
2093 | - |
2094 | - /* mix one byte at a time to simplify size handling and churn faster */ |
2095 | - while (nbytes--) { |
2096 | - w = rol32(*bytes++, input_rotate); |
2097 | - i = (i - 1) & wordmask; |
2098 | - |
2099 | - /* XOR in the various taps */ |
2100 | - w ^= r->pool[i]; |
2101 | - w ^= r->pool[(i + tap1) & wordmask]; |
2102 | - w ^= r->pool[(i + tap2) & wordmask]; |
2103 | - w ^= r->pool[(i + tap3) & wordmask]; |
2104 | - w ^= r->pool[(i + tap4) & wordmask]; |
2105 | - w ^= r->pool[(i + tap5) & wordmask]; |
2106 | - |
2107 | - /* Mix the result back in with a twist */ |
2108 | - r->pool[i] = (w >> 3) ^ twist_table[w & 7]; |
2109 | - |
2110 | - /* |
2111 | - * Normally, we add 7 bits of rotation to the pool. |
2112 | - * At the beginning of the pool, add an extra 7 bits |
2113 | - * rotation, so that successive passes spread the |
2114 | - * input bits across the pool evenly. |
2115 | - */ |
2116 | - input_rotate = (input_rotate + (i ? 7 : 14)) & 31; |
2117 | - } |
2118 | + unsigned long flags; |
2119 | + unsigned long next_gen; |
2120 | + u8 key[CHACHA_KEY_SIZE]; |
2121 | |
2122 | - r->input_rotate = input_rotate; |
2123 | - r->add_ptr = i; |
2124 | -} |
2125 | + extract_entropy(key, sizeof(key)); |
2126 | |
2127 | -static void __mix_pool_bytes(struct entropy_store *r, const void *in, |
2128 | - int nbytes) |
2129 | -{ |
2130 | - trace_mix_pool_bytes_nolock(r->name, nbytes, _RET_IP_); |
2131 | - _mix_pool_bytes(r, in, nbytes); |
2132 | + /* |
2133 | + * We copy the new key into the base_crng, overwriting the old one, |
2134 | + * and update the generation counter. We avoid hitting ULONG_MAX, |
2135 | + * because the per-cpu crngs are initialized to ULONG_MAX, so this |
2136 | + * forces new CPUs that come online to always initialize. |
2137 | + */ |
2138 | + spin_lock_irqsave(&base_crng.lock, flags); |
2139 | + memcpy(base_crng.key, key, sizeof(base_crng.key)); |
2140 | + next_gen = base_crng.generation + 1; |
2141 | + if (next_gen == ULONG_MAX) |
2142 | + ++next_gen; |
2143 | + WRITE_ONCE(base_crng.generation, next_gen); |
2144 | + WRITE_ONCE(base_crng.birth, jiffies); |
2145 | + if (!crng_ready()) |
2146 | + crng_init = CRNG_READY; |
2147 | + spin_unlock_irqrestore(&base_crng.lock, flags); |
2148 | + memzero_explicit(key, sizeof(key)); |
2149 | } |
2150 | |
2151 | -static void mix_pool_bytes(struct entropy_store *r, const void *in, |
2152 | - int nbytes) |
2153 | +/* |
2154 | + * This generates a ChaCha block using the provided key, and then |
2155 | + * immediately overwites that key with half the block. It returns |
2156 | + * the resultant ChaCha state to the user, along with the second |
2157 | + * half of the block containing 32 bytes of random data that may |
2158 | + * be used; random_data_len may not be greater than 32. |
2159 | + * |
2160 | + * The returned ChaCha state contains within it a copy of the old |
2161 | + * key value, at index 4, so the state should always be zeroed out |
2162 | + * immediately after using in order to maintain forward secrecy. |
2163 | + * If the state cannot be erased in a timely manner, then it is |
2164 | + * safer to set the random_data parameter to &chacha_state[4] so |
2165 | + * that this function overwrites it before returning. |
2166 | + */ |
2167 | +static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE], |
2168 | + u32 chacha_state[CHACHA_BLOCK_SIZE / sizeof(u32)], |
2169 | + u8 *random_data, size_t random_data_len) |
2170 | { |
2171 | - unsigned long flags; |
2172 | + u8 first_block[CHACHA_BLOCK_SIZE]; |
2173 | + |
2174 | + BUG_ON(random_data_len > 32); |
2175 | |
2176 | - trace_mix_pool_bytes(r->name, nbytes, _RET_IP_); |
2177 | - spin_lock_irqsave(&r->lock, flags); |
2178 | - _mix_pool_bytes(r, in, nbytes); |
2179 | - spin_unlock_irqrestore(&r->lock, flags); |
2180 | + chacha_init_consts(chacha_state); |
2181 | + memcpy(&chacha_state[4], key, CHACHA_KEY_SIZE); |
2182 | + memset(&chacha_state[12], 0, sizeof(u32) * 4); |
2183 | + chacha20_block(chacha_state, first_block); |
2184 | + |
2185 | + memcpy(key, first_block, CHACHA_KEY_SIZE); |
2186 | + memcpy(random_data, first_block + CHACHA_KEY_SIZE, random_data_len); |
2187 | + memzero_explicit(first_block, sizeof(first_block)); |
2188 | } |
2189 | |
2190 | -struct fast_pool { |
2191 | - __u32 pool[4]; |
2192 | - unsigned long last; |
2193 | - unsigned short reg_idx; |
2194 | - unsigned char count; |
2195 | -}; |
2196 | +/* |
2197 | + * Return whether the crng seed is considered to be sufficiently old |
2198 | + * that a reseeding is needed. This happens if the last reseeding |
2199 | + * was CRNG_RESEED_INTERVAL ago, or during early boot, at an interval |
2200 | + * proportional to the uptime. |
2201 | + */ |
2202 | +static bool crng_has_old_seed(void) |
2203 | +{ |
2204 | + static bool early_boot = true; |
2205 | + unsigned long interval = CRNG_RESEED_INTERVAL; |
2206 | + |
2207 | + if (unlikely(READ_ONCE(early_boot))) { |
2208 | + time64_t uptime = ktime_get_seconds(); |
2209 | + if (uptime >= CRNG_RESEED_INTERVAL / HZ * 2) |
2210 | + WRITE_ONCE(early_boot, false); |
2211 | + else |
2212 | + interval = max_t(unsigned int, CRNG_RESEED_START_INTERVAL, |
2213 | + (unsigned int)uptime / 2 * HZ); |
2214 | + } |
2215 | + return time_is_before_jiffies(READ_ONCE(base_crng.birth) + interval); |
2216 | +} |
2217 | |
2218 | /* |
2219 | - * This is a fast mixing routine used by the interrupt randomness |
2220 | - * collector. It's hardcoded for an 128 bit pool and assumes that any |
2221 | - * locks that might be needed are taken by the caller. |
2222 | + * This function returns a ChaCha state that you may use for generating |
2223 | + * random data. It also returns up to 32 bytes on its own of random data |
2224 | + * that may be used; random_data_len may not be greater than 32. |
2225 | */ |
2226 | -static void fast_mix(struct fast_pool *f) |
2227 | +static void crng_make_state(u32 chacha_state[CHACHA_BLOCK_SIZE / sizeof(u32)], |
2228 | + u8 *random_data, size_t random_data_len) |
2229 | { |
2230 | - __u32 a = f->pool[0], b = f->pool[1]; |
2231 | - __u32 c = f->pool[2], d = f->pool[3]; |
2232 | + unsigned long flags; |
2233 | + struct crng *crng; |
2234 | |
2235 | - a += b; c += d; |
2236 | - b = rol32(b, 6); d = rol32(d, 27); |
2237 | - d ^= a; b ^= c; |
2238 | + BUG_ON(random_data_len > 32); |
2239 | + |
2240 | + /* |
2241 | + * For the fast path, we check whether we're ready, unlocked first, and |
2242 | + * then re-check once locked later. In the case where we're really not |
2243 | + * ready, we do fast key erasure with the base_crng directly, extracting |
2244 | + * when crng_init is CRNG_EMPTY. |
2245 | + */ |
2246 | + if (!crng_ready()) { |
2247 | + bool ready; |
2248 | + |
2249 | + spin_lock_irqsave(&base_crng.lock, flags); |
2250 | + ready = crng_ready(); |
2251 | + if (!ready) { |
2252 | + if (crng_init == CRNG_EMPTY) |
2253 | + extract_entropy(base_crng.key, sizeof(base_crng.key)); |
2254 | + crng_fast_key_erasure(base_crng.key, chacha_state, |
2255 | + random_data, random_data_len); |
2256 | + } |
2257 | + spin_unlock_irqrestore(&base_crng.lock, flags); |
2258 | + if (!ready) |
2259 | + return; |
2260 | + } |
2261 | |
2262 | - a += b; c += d; |
2263 | - b = rol32(b, 16); d = rol32(d, 14); |
2264 | - d ^= a; b ^= c; |
2265 | + /* |
2266 | + * If the base_crng is old enough, we reseed, which in turn bumps the |
2267 | + * generation counter that we check below. |
2268 | + */ |
2269 | + if (unlikely(crng_has_old_seed())) |
2270 | + crng_reseed(); |
2271 | |
2272 | - a += b; c += d; |
2273 | - b = rol32(b, 6); d = rol32(d, 27); |
2274 | - d ^= a; b ^= c; |
2275 | + local_irq_save(flags); |
2276 | + crng = raw_cpu_ptr(&crngs); |
2277 | |
2278 | - a += b; c += d; |
2279 | - b = rol32(b, 16); d = rol32(d, 14); |
2280 | - d ^= a; b ^= c; |
2281 | + /* |
2282 | + * If our per-cpu crng is older than the base_crng, then it means |
2283 | + * somebody reseeded the base_crng. In that case, we do fast key |
2284 | + * erasure on the base_crng, and use its output as the new key |
2285 | + * for our per-cpu crng. This brings us up to date with base_crng. |
2286 | + */ |
2287 | + if (unlikely(crng->generation != READ_ONCE(base_crng.generation))) { |
2288 | + spin_lock(&base_crng.lock); |
2289 | + crng_fast_key_erasure(base_crng.key, chacha_state, |
2290 | + crng->key, sizeof(crng->key)); |
2291 | + crng->generation = base_crng.generation; |
2292 | + spin_unlock(&base_crng.lock); |
2293 | + } |
2294 | |
2295 | - f->pool[0] = a; f->pool[1] = b; |
2296 | - f->pool[2] = c; f->pool[3] = d; |
2297 | - f->count++; |
2298 | + /* |
2299 | + * Finally, when we've made it this far, our per-cpu crng has an up |
2300 | + * to date key, and we can do fast key erasure with it to produce |
2301 | + * some random data and a ChaCha state for the caller. All other |
2302 | + * branches of this function are "unlikely", so most of the time we |
2303 | + * should wind up here immediately. |
2304 | + */ |
2305 | + crng_fast_key_erasure(crng->key, chacha_state, random_data, random_data_len); |
2306 | + local_irq_restore(flags); |
2307 | } |
2308 | |
2309 | -static void process_random_ready_list(void) |
2310 | +static void _get_random_bytes(void *buf, size_t len) |
2311 | { |
2312 | - unsigned long flags; |
2313 | - struct random_ready_callback *rdy, *tmp; |
2314 | + u32 chacha_state[CHACHA_BLOCK_SIZE / sizeof(u32)]; |
2315 | + u8 tmp[CHACHA_BLOCK_SIZE]; |
2316 | + size_t first_block_len; |
2317 | + |
2318 | + if (!len) |
2319 | + return; |
2320 | + |
2321 | + first_block_len = min_t(size_t, 32, len); |
2322 | + crng_make_state(chacha_state, buf, first_block_len); |
2323 | + len -= first_block_len; |
2324 | + buf += first_block_len; |
2325 | |
2326 | - spin_lock_irqsave(&random_ready_list_lock, flags); |
2327 | - list_for_each_entry_safe(rdy, tmp, &random_ready_list, list) { |
2328 | - struct module *owner = rdy->owner; |
2329 | + while (len) { |
2330 | + if (len < CHACHA_BLOCK_SIZE) { |
2331 | + chacha20_block(chacha_state, tmp); |
2332 | + memcpy(buf, tmp, len); |
2333 | + memzero_explicit(tmp, sizeof(tmp)); |
2334 | + break; |
2335 | + } |
2336 | |
2337 | - list_del_init(&rdy->list); |
2338 | - rdy->func(rdy); |
2339 | - module_put(owner); |
2340 | + chacha20_block(chacha_state, buf); |
2341 | + if (unlikely(chacha_state[12] == 0)) |
2342 | + ++chacha_state[13]; |
2343 | + len -= CHACHA_BLOCK_SIZE; |
2344 | + buf += CHACHA_BLOCK_SIZE; |
2345 | } |
2346 | - spin_unlock_irqrestore(&random_ready_list_lock, flags); |
2347 | + |
2348 | + memzero_explicit(chacha_state, sizeof(chacha_state)); |
2349 | } |
2350 | |
2351 | /* |
2352 | - * Credit (or debit) the entropy store with n bits of entropy. |
2353 | - * Use credit_entropy_bits_safe() if the value comes from userspace |
2354 | - * or otherwise should be checked for extreme values. |
2355 | + * This function is the exported kernel interface. It returns some |
2356 | + * number of good random numbers, suitable for key generation, seeding |
2357 | + * TCP sequence numbers, etc. It does not rely on the hardware random |
2358 | + * number generator. For random bytes direct from the hardware RNG |
2359 | + * (when available), use get_random_bytes_arch(). In order to ensure |
2360 | + * that the randomness provided by this function is okay, the function |
2361 | + * wait_for_random_bytes() should be called and return 0 at least once |
2362 | + * at any point prior. |
2363 | */ |
2364 | -static void credit_entropy_bits(struct entropy_store *r, int nbits) |
2365 | +void get_random_bytes(void *buf, size_t len) |
2366 | { |
2367 | - int entropy_count, orig, has_initialized = 0; |
2368 | - const int pool_size = r->poolinfo->poolfracbits; |
2369 | - int nfrac = nbits << ENTROPY_SHIFT; |
2370 | + warn_unseeded_randomness(); |
2371 | + _get_random_bytes(buf, len); |
2372 | +} |
2373 | +EXPORT_SYMBOL(get_random_bytes); |
2374 | |
2375 | - if (!nbits) |
2376 | - return; |
2377 | +static ssize_t get_random_bytes_user(struct iov_iter *iter) |
2378 | +{ |
2379 | + u32 chacha_state[CHACHA_BLOCK_SIZE / sizeof(u32)]; |
2380 | + u8 block[CHACHA_BLOCK_SIZE]; |
2381 | + size_t ret = 0, copied; |
2382 | |
2383 | -retry: |
2384 | - entropy_count = orig = READ_ONCE(r->entropy_count); |
2385 | - if (nfrac < 0) { |
2386 | - /* Debit */ |
2387 | - entropy_count += nfrac; |
2388 | - } else { |
2389 | - /* |
2390 | - * Credit: we have to account for the possibility of |
2391 | - * overwriting already present entropy. Even in the |
2392 | - * ideal case of pure Shannon entropy, new contributions |
2393 | - * approach the full value asymptotically: |
2394 | - * |
2395 | - * entropy <- entropy + (pool_size - entropy) * |
2396 | - * (1 - exp(-add_entropy/pool_size)) |
2397 | - * |
2398 | - * For add_entropy <= pool_size/2 then |
2399 | - * (1 - exp(-add_entropy/pool_size)) >= |
2400 | - * (add_entropy/pool_size)*0.7869... |
2401 | - * so we can approximate the exponential with |
2402 | - * 3/4*add_entropy/pool_size and still be on the |
2403 | - * safe side by adding at most pool_size/2 at a time. |
2404 | - * |
2405 | - * The use of pool_size-2 in the while statement is to |
2406 | - * prevent rounding artifacts from making the loop |
2407 | - * arbitrarily long; this limits the loop to log2(pool_size)*2 |
2408 | - * turns no matter how large nbits is. |
2409 | - */ |
2410 | - int pnfrac = nfrac; |
2411 | - const int s = r->poolinfo->poolbitshift + ENTROPY_SHIFT + 2; |
2412 | - /* The +2 corresponds to the /4 in the denominator */ |
2413 | - |
2414 | - do { |
2415 | - unsigned int anfrac = min(pnfrac, pool_size/2); |
2416 | - unsigned int add = |
2417 | - ((pool_size - entropy_count)*anfrac*3) >> s; |
2418 | - |
2419 | - entropy_count += add; |
2420 | - pnfrac -= anfrac; |
2421 | - } while (unlikely(entropy_count < pool_size-2 && pnfrac)); |
2422 | - } |
2423 | + if (unlikely(!iov_iter_count(iter))) |
2424 | + return 0; |
2425 | |
2426 | - if (unlikely(entropy_count < 0)) { |
2427 | - pr_warn("random: negative entropy/overflow: pool %s count %d\n", |
2428 | - r->name, entropy_count); |
2429 | - WARN_ON(1); |
2430 | - entropy_count = 0; |
2431 | - } else if (entropy_count > pool_size) |
2432 | - entropy_count = pool_size; |
2433 | - if ((r == &blocking_pool) && !r->initialized && |
2434 | - (entropy_count >> ENTROPY_SHIFT) > 128) |
2435 | - has_initialized = 1; |
2436 | - if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) |
2437 | - goto retry; |
2438 | - |
2439 | - if (has_initialized) { |
2440 | - r->initialized = 1; |
2441 | - wake_up_interruptible(&random_read_wait); |
2442 | - kill_fasync(&fasync, SIGIO, POLL_IN); |
2443 | + /* |
2444 | + * Immediately overwrite the ChaCha key at index 4 with random |
2445 | + * bytes, in case userspace causes copy_to_user() below to sleep |
2446 | + * forever, so that we still retain forward secrecy in that case. |
2447 | + */ |
2448 | + crng_make_state(chacha_state, (u8 *)&chacha_state[4], CHACHA_KEY_SIZE); |
2449 | + /* |
2450 | + * However, if we're doing a read of len <= 32, we don't need to |
2451 | + * use chacha_state after, so we can simply return those bytes to |
2452 | + * the user directly. |
2453 | + */ |
2454 | + if (iov_iter_count(iter) <= CHACHA_KEY_SIZE) { |
2455 | + ret = copy_to_iter(&chacha_state[4], CHACHA_KEY_SIZE, iter); |
2456 | + goto out_zero_chacha; |
2457 | } |
2458 | |
2459 | - trace_credit_entropy_bits(r->name, nbits, |
2460 | - entropy_count >> ENTROPY_SHIFT, _RET_IP_); |
2461 | + for (;;) { |
2462 | + chacha20_block(chacha_state, block); |
2463 | + if (unlikely(chacha_state[12] == 0)) |
2464 | + ++chacha_state[13]; |
2465 | |
2466 | - if (r == &input_pool) { |
2467 | - int entropy_bits = entropy_count >> ENTROPY_SHIFT; |
2468 | - struct entropy_store *other = &blocking_pool; |
2469 | - |
2470 | - if (crng_init < 2) { |
2471 | - if (entropy_bits < 128) |
2472 | - return; |
2473 | - crng_reseed(&primary_crng, r); |
2474 | - entropy_bits = r->entropy_count >> ENTROPY_SHIFT; |
2475 | - } |
2476 | - |
2477 | - /* initialize the blocking pool if necessary */ |
2478 | - if (entropy_bits >= random_read_wakeup_bits && |
2479 | - !other->initialized) { |
2480 | - schedule_work(&other->push_work); |
2481 | - return; |
2482 | - } |
2483 | + copied = copy_to_iter(block, sizeof(block), iter); |
2484 | + ret += copied; |
2485 | + if (!iov_iter_count(iter) || copied != sizeof(block)) |
2486 | + break; |
2487 | |
2488 | - /* should we wake readers? */ |
2489 | - if (entropy_bits >= random_read_wakeup_bits && |
2490 | - wq_has_sleeper(&random_read_wait)) { |
2491 | - wake_up_interruptible(&random_read_wait); |
2492 | - kill_fasync(&fasync, SIGIO, POLL_IN); |
2493 | + BUILD_BUG_ON(PAGE_SIZE % sizeof(block) != 0); |
2494 | + if (ret % PAGE_SIZE == 0) { |
2495 | + if (signal_pending(current)) |
2496 | + break; |
2497 | + cond_resched(); |
2498 | } |
2499 | - /* If the input pool is getting full, and the blocking |
2500 | - * pool has room, send some entropy to the blocking |
2501 | - * pool. |
2502 | - */ |
2503 | - if (!work_pending(&other->push_work) && |
2504 | - (ENTROPY_BITS(r) > 6 * r->poolinfo->poolbytes) && |
2505 | - (ENTROPY_BITS(other) <= 6 * other->poolinfo->poolbytes)) |
2506 | - schedule_work(&other->push_work); |
2507 | } |
2508 | -} |
2509 | |
2510 | -static int credit_entropy_bits_safe(struct entropy_store *r, int nbits) |
2511 | -{ |
2512 | - const int nbits_max = r->poolinfo->poolwords * 32; |
2513 | - |
2514 | - if (nbits < 0) |
2515 | - return -EINVAL; |
2516 | - |
2517 | - /* Cap the value to avoid overflows */ |
2518 | - nbits = min(nbits, nbits_max); |
2519 | - |
2520 | - credit_entropy_bits(r, nbits); |
2521 | - return 0; |
2522 | + memzero_explicit(block, sizeof(block)); |
2523 | +out_zero_chacha: |
2524 | + memzero_explicit(chacha_state, sizeof(chacha_state)); |
2525 | + return ret ? ret : -EFAULT; |
2526 | } |
2527 | |
2528 | -/********************************************************************* |
2529 | - * |
2530 | - * CRNG using CHACHA20 |
2531 | - * |
2532 | - *********************************************************************/ |
2533 | - |
2534 | -#define CRNG_RESEED_INTERVAL (300*HZ) |
2535 | - |
2536 | -static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait); |
2537 | +/* |
2538 | + * Batched entropy returns random integers. The quality of the random |
2539 | + * number is good as /dev/urandom. In order to ensure that the randomness |
2540 | + * provided by this function is okay, the function wait_for_random_bytes() |
2541 | + * should be called and return 0 at least once at any point prior. |
2542 | + */ |
2543 | |
2544 | -#ifdef CONFIG_NUMA |
2545 | +#define DEFINE_BATCHED_ENTROPY(type) \ |
2546 | +struct batch_ ##type { \ |
2547 | + /* \ |
2548 | + * We make this 1.5x a ChaCha block, so that we get the \ |
2549 | + * remaining 32 bytes from fast key erasure, plus one full \ |
2550 | + * block from the detached ChaCha state. We can increase \ |
2551 | + * the size of this later if needed so long as we keep the \ |
2552 | + * formula of (integer_blocks + 0.5) * CHACHA_BLOCK_SIZE. \ |
2553 | + */ \ |
2554 | + type entropy[CHACHA_BLOCK_SIZE * 3 / (2 * sizeof(type))]; \ |
2555 | + unsigned long generation; \ |
2556 | + unsigned int position; \ |
2557 | +}; \ |
2558 | + \ |
2559 | +static DEFINE_PER_CPU(struct batch_ ##type, batched_entropy_ ##type) = { \ |
2560 | + .position = UINT_MAX \ |
2561 | +}; \ |
2562 | + \ |
2563 | +type get_random_ ##type(void) \ |
2564 | +{ \ |
2565 | + type ret; \ |
2566 | + unsigned long flags; \ |
2567 | + struct batch_ ##type *batch; \ |
2568 | + unsigned long next_gen; \ |
2569 | + \ |
2570 | + warn_unseeded_randomness(); \ |
2571 | + \ |
2572 | + if (!crng_ready()) { \ |
2573 | + _get_random_bytes(&ret, sizeof(ret)); \ |
2574 | + return ret; \ |
2575 | + } \ |
2576 | + \ |
2577 | + local_irq_save(flags); \ |
2578 | + batch = raw_cpu_ptr(&batched_entropy_##type); \ |
2579 | + \ |
2580 | + next_gen = READ_ONCE(base_crng.generation); \ |
2581 | + if (batch->position >= ARRAY_SIZE(batch->entropy) || \ |
2582 | + next_gen != batch->generation) { \ |
2583 | + _get_random_bytes(batch->entropy, sizeof(batch->entropy)); \ |
2584 | + batch->position = 0; \ |
2585 | + batch->generation = next_gen; \ |
2586 | + } \ |
2587 | + \ |
2588 | + ret = batch->entropy[batch->position]; \ |
2589 | + batch->entropy[batch->position] = 0; \ |
2590 | + ++batch->position; \ |
2591 | + local_irq_restore(flags); \ |
2592 | + return ret; \ |
2593 | +} \ |
2594 | +EXPORT_SYMBOL(get_random_ ##type); |
2595 | + |
2596 | +DEFINE_BATCHED_ENTROPY(u64) |
2597 | +DEFINE_BATCHED_ENTROPY(u32) |
2598 | + |
2599 | +#ifdef CONFIG_SMP |
2600 | /* |
2601 | - * Hack to deal with crazy userspace progams when they are all trying |
2602 | - * to access /dev/urandom in parallel. The programs are almost |
2603 | - * certainly doing something terribly wrong, but we'll work around |
2604 | - * their brain damage. |
2605 | + * This function is called when the CPU is coming up, with entry |
2606 | + * CPUHP_RANDOM_PREPARE, which comes before CPUHP_WORKQUEUE_PREP. |
2607 | */ |
2608 | -static struct crng_state **crng_node_pool __read_mostly; |
2609 | +int __cold random_prepare_cpu(unsigned int cpu) |
2610 | +{ |
2611 | + /* |
2612 | + * When the cpu comes back online, immediately invalidate both |
2613 | + * the per-cpu crng and all batches, so that we serve fresh |
2614 | + * randomness. |
2615 | + */ |
2616 | + per_cpu_ptr(&crngs, cpu)->generation = ULONG_MAX; |
2617 | + per_cpu_ptr(&batched_entropy_u32, cpu)->position = UINT_MAX; |
2618 | + per_cpu_ptr(&batched_entropy_u64, cpu)->position = UINT_MAX; |
2619 | + return 0; |
2620 | +} |
2621 | #endif |
2622 | |
2623 | -static void invalidate_batched_entropy(void); |
2624 | -static void numa_crng_init(void); |
2625 | +/* |
2626 | + * This function will use the architecture-specific hardware random |
2627 | + * number generator if it is available. It is not recommended for |
2628 | + * use. Use get_random_bytes() instead. It returns the number of |
2629 | + * bytes filled in. |
2630 | + */ |
2631 | +size_t __must_check get_random_bytes_arch(void *buf, size_t len) |
2632 | +{ |
2633 | + size_t left = len; |
2634 | + u8 *p = buf; |
2635 | |
2636 | -static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU); |
2637 | -static int __init parse_trust_cpu(char *arg) |
2638 | -{ |
2639 | - return kstrtobool(arg, &trust_cpu); |
2640 | -} |
2641 | -early_param("random.trust_cpu", parse_trust_cpu); |
2642 | - |
2643 | -static void crng_initialize(struct crng_state *crng) |
2644 | -{ |
2645 | - int i; |
2646 | - int arch_init = 1; |
2647 | - unsigned long rv; |
2648 | - |
2649 | - memcpy(&crng->state[0], "expand 32-byte k", 16); |
2650 | - if (crng == &primary_crng) |
2651 | - _extract_entropy(&input_pool, &crng->state[4], |
2652 | - sizeof(__u32) * 12, 0); |
2653 | - else |
2654 | - _get_random_bytes(&crng->state[4], sizeof(__u32) * 12); |
2655 | - for (i = 4; i < 16; i++) { |
2656 | - if (!arch_get_random_seed_long(&rv) && |
2657 | - !arch_get_random_long(&rv)) { |
2658 | - rv = random_get_entropy(); |
2659 | - arch_init = 0; |
2660 | - } |
2661 | - crng->state[i] ^= rv; |
2662 | - } |
2663 | - if (trust_cpu && arch_init && crng == &primary_crng) { |
2664 | - invalidate_batched_entropy(); |
2665 | - numa_crng_init(); |
2666 | - crng_init = 2; |
2667 | - pr_notice("random: crng done (trusting CPU's manufacturer)\n"); |
2668 | - } |
2669 | - crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1; |
2670 | -} |
2671 | + while (left) { |
2672 | + unsigned long v; |
2673 | + size_t block_len = min_t(size_t, left, sizeof(unsigned long)); |
2674 | |
2675 | -static void crng_finalize_init(struct crng_state *crng) |
2676 | -{ |
2677 | - if (crng != &primary_crng || crng_init >= 2) |
2678 | - return; |
2679 | - if (!system_wq) { |
2680 | - /* We can't call numa_crng_init until we have workqueues, |
2681 | - * so mark this for processing later. */ |
2682 | - crng_need_final_init = true; |
2683 | - return; |
2684 | - } |
2685 | + if (!arch_get_random_long(&v)) |
2686 | + break; |
2687 | |
2688 | - invalidate_batched_entropy(); |
2689 | - numa_crng_init(); |
2690 | - crng_init = 2; |
2691 | - process_random_ready_list(); |
2692 | - wake_up_interruptible(&crng_init_wait); |
2693 | - kill_fasync(&fasync, SIGIO, POLL_IN); |
2694 | - pr_notice("crng init done\n"); |
2695 | - if (unseeded_warning.missed) { |
2696 | - pr_notice("random: %d get_random_xx warning(s) missed " |
2697 | - "due to ratelimiting\n", |
2698 | - unseeded_warning.missed); |
2699 | - unseeded_warning.missed = 0; |
2700 | - } |
2701 | - if (urandom_warning.missed) { |
2702 | - pr_notice("random: %d urandom warning(s) missed " |
2703 | - "due to ratelimiting\n", |
2704 | - urandom_warning.missed); |
2705 | - urandom_warning.missed = 0; |
2706 | + memcpy(p, &v, block_len); |
2707 | + p += block_len; |
2708 | + left -= block_len; |
2709 | } |
2710 | -} |
2711 | |
2712 | -#ifdef CONFIG_NUMA |
2713 | -static void do_numa_crng_init(struct work_struct *work) |
2714 | -{ |
2715 | - int i; |
2716 | - struct crng_state *crng; |
2717 | - struct crng_state **pool; |
2718 | - |
2719 | - pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL); |
2720 | - for_each_online_node(i) { |
2721 | - crng = kmalloc_node(sizeof(struct crng_state), |
2722 | - GFP_KERNEL | __GFP_NOFAIL, i); |
2723 | - spin_lock_init(&crng->lock); |
2724 | - crng_initialize(crng); |
2725 | - pool[i] = crng; |
2726 | - } |
2727 | - /* pairs with READ_ONCE() in select_crng() */ |
2728 | - if (cmpxchg_release(&crng_node_pool, NULL, pool) != NULL) { |
2729 | - for_each_node(i) |
2730 | - kfree(pool[i]); |
2731 | - kfree(pool); |
2732 | - } |
2733 | + return len - left; |
2734 | } |
2735 | +EXPORT_SYMBOL(get_random_bytes_arch); |
2736 | |
2737 | -static DECLARE_WORK(numa_crng_init_work, do_numa_crng_init); |
2738 | - |
2739 | -static void numa_crng_init(void) |
2740 | -{ |
2741 | - schedule_work(&numa_crng_init_work); |
2742 | -} |
2743 | |
2744 | -static struct crng_state *select_crng(void) |
2745 | -{ |
2746 | - struct crng_state **pool; |
2747 | - int nid = numa_node_id(); |
2748 | +/********************************************************************** |
2749 | + * |
2750 | + * Entropy accumulation and extraction routines. |
2751 | + * |
2752 | + * Callers may add entropy via: |
2753 | + * |
2754 | + * static void mix_pool_bytes(const void *buf, size_t len) |
2755 | + * |
2756 | + * After which, if added entropy should be credited: |
2757 | + * |
2758 | + * static void credit_init_bits(size_t bits) |
2759 | + * |
2760 | + * Finally, extract entropy via: |
2761 | + * |
2762 | + * static void extract_entropy(void *buf, size_t len) |
2763 | + * |
2764 | + **********************************************************************/ |
2765 | |
2766 | - /* pairs with cmpxchg_release() in do_numa_crng_init() */ |
2767 | - pool = READ_ONCE(crng_node_pool); |
2768 | - if (pool && pool[nid]) |
2769 | - return pool[nid]; |
2770 | +enum { |
2771 | + POOL_BITS = BLAKE2S_HASH_SIZE * 8, |
2772 | + POOL_READY_BITS = POOL_BITS, /* When crng_init->CRNG_READY */ |
2773 | + POOL_EARLY_BITS = POOL_READY_BITS / 2 /* When crng_init->CRNG_EARLY */ |
2774 | +}; |
2775 | |
2776 | - return &primary_crng; |
2777 | -} |
2778 | -#else |
2779 | -static void numa_crng_init(void) {} |
2780 | +static struct { |
2781 | + struct blake2s_state hash; |
2782 | + spinlock_t lock; |
2783 | + unsigned int init_bits; |
2784 | +} input_pool = { |
2785 | + .hash.h = { BLAKE2S_IV0 ^ (0x01010000 | BLAKE2S_HASH_SIZE), |
2786 | + BLAKE2S_IV1, BLAKE2S_IV2, BLAKE2S_IV3, BLAKE2S_IV4, |
2787 | + BLAKE2S_IV5, BLAKE2S_IV6, BLAKE2S_IV7 }, |
2788 | + .hash.outlen = BLAKE2S_HASH_SIZE, |
2789 | + .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock), |
2790 | +}; |
2791 | |
2792 | -static struct crng_state *select_crng(void) |
2793 | +static void _mix_pool_bytes(const void *buf, size_t len) |
2794 | { |
2795 | - return &primary_crng; |
2796 | + blake2s_update(&input_pool.hash, buf, len); |
2797 | } |
2798 | -#endif |
2799 | |
2800 | /* |
2801 | - * crng_fast_load() can be called by code in the interrupt service |
2802 | - * path. So we can't afford to dilly-dally. Returns the number of |
2803 | - * bytes processed from cp. |
2804 | + * This function adds bytes into the input pool. It does not |
2805 | + * update the initialization bit counter; the caller should call |
2806 | + * credit_init_bits if this is appropriate. |
2807 | */ |
2808 | -static size_t crng_fast_load(const char *cp, size_t len) |
2809 | +static void mix_pool_bytes(const void *buf, size_t len) |
2810 | { |
2811 | unsigned long flags; |
2812 | - char *p; |
2813 | - size_t ret = 0; |
2814 | - |
2815 | - if (!spin_trylock_irqsave(&primary_crng.lock, flags)) |
2816 | - return 0; |
2817 | - if (crng_init != 0) { |
2818 | - spin_unlock_irqrestore(&primary_crng.lock, flags); |
2819 | - return 0; |
2820 | - } |
2821 | - p = (unsigned char *) &primary_crng.state[4]; |
2822 | - while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) { |
2823 | - p[crng_init_cnt % CHACHA_KEY_SIZE] ^= *cp; |
2824 | - cp++; crng_init_cnt++; len--; ret++; |
2825 | - } |
2826 | - spin_unlock_irqrestore(&primary_crng.lock, flags); |
2827 | - if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) { |
2828 | - invalidate_batched_entropy(); |
2829 | - crng_init = 1; |
2830 | - wake_up_interruptible(&crng_init_wait); |
2831 | - pr_notice("random: fast init done\n"); |
2832 | - } |
2833 | - return ret; |
2834 | -} |
2835 | |
2836 | -/* |
2837 | - * crng_slow_load() is called by add_device_randomness, which has two |
2838 | - * attributes. (1) We can't trust the buffer passed to it is |
2839 | - * guaranteed to be unpredictable (so it might not have any entropy at |
2840 | - * all), and (2) it doesn't have the performance constraints of |
2841 | - * crng_fast_load(). |
2842 | - * |
2843 | - * So we do something more comprehensive which is guaranteed to touch |
2844 | - * all of the primary_crng's state, and which uses a LFSR with a |
2845 | - * period of 255 as part of the mixing algorithm. Finally, we do |
2846 | - * *not* advance crng_init_cnt since buffer we may get may be something |
2847 | - * like a fixed DMI table (for example), which might very well be |
2848 | - * unique to the machine, but is otherwise unvarying. |
2849 | - */ |
2850 | -static int crng_slow_load(const char *cp, size_t len) |
2851 | -{ |
2852 | - unsigned long flags; |
2853 | - static unsigned char lfsr = 1; |
2854 | - unsigned char tmp; |
2855 | - unsigned i, max = CHACHA_KEY_SIZE; |
2856 | - const char * src_buf = cp; |
2857 | - char * dest_buf = (char *) &primary_crng.state[4]; |
2858 | - |
2859 | - if (!spin_trylock_irqsave(&primary_crng.lock, flags)) |
2860 | - return 0; |
2861 | - if (crng_init != 0) { |
2862 | - spin_unlock_irqrestore(&primary_crng.lock, flags); |
2863 | - return 0; |
2864 | - } |
2865 | - if (len > max) |
2866 | - max = len; |
2867 | - |
2868 | - for (i = 0; i < max ; i++) { |
2869 | - tmp = lfsr; |
2870 | - lfsr >>= 1; |
2871 | - if (tmp & 1) |
2872 | - lfsr ^= 0xE1; |
2873 | - tmp = dest_buf[i % CHACHA_KEY_SIZE]; |
2874 | - dest_buf[i % CHACHA_KEY_SIZE] ^= src_buf[i % len] ^ lfsr; |
2875 | - lfsr += (tmp << 3) | (tmp >> 5); |
2876 | - } |
2877 | - spin_unlock_irqrestore(&primary_crng.lock, flags); |
2878 | - return 1; |
2879 | -} |
2880 | - |
2881 | -static void crng_reseed(struct crng_state *crng, struct entropy_store *r) |
2882 | -{ |
2883 | - unsigned long flags; |
2884 | - int i, num; |
2885 | - union { |
2886 | - __u8 block[CHACHA_BLOCK_SIZE]; |
2887 | - __u32 key[8]; |
2888 | - } buf; |
2889 | - |
2890 | - if (r) { |
2891 | - num = extract_entropy(r, &buf, 32, 16, 0); |
2892 | - if (num == 0) |
2893 | - return; |
2894 | - } else { |
2895 | - _extract_crng(&primary_crng, buf.block); |
2896 | - _crng_backtrack_protect(&primary_crng, buf.block, |
2897 | - CHACHA_KEY_SIZE); |
2898 | - } |
2899 | - spin_lock_irqsave(&crng->lock, flags); |
2900 | - for (i = 0; i < 8; i++) { |
2901 | - unsigned long rv; |
2902 | - if (!arch_get_random_seed_long(&rv) && |
2903 | - !arch_get_random_long(&rv)) |
2904 | - rv = random_get_entropy(); |
2905 | - crng->state[i+4] ^= buf.key[i] ^ rv; |
2906 | - } |
2907 | - memzero_explicit(&buf, sizeof(buf)); |
2908 | - WRITE_ONCE(crng->init_time, jiffies); |
2909 | - spin_unlock_irqrestore(&crng->lock, flags); |
2910 | - crng_finalize_init(crng); |
2911 | -} |
2912 | - |
2913 | -static void _extract_crng(struct crng_state *crng, |
2914 | - __u8 out[CHACHA_BLOCK_SIZE]) |
2915 | -{ |
2916 | - unsigned long v, flags, init_time; |
2917 | - |
2918 | - if (crng_ready()) { |
2919 | - init_time = READ_ONCE(crng->init_time); |
2920 | - if (time_after(READ_ONCE(crng_global_init_time), init_time) || |
2921 | - time_after(jiffies, init_time + CRNG_RESEED_INTERVAL)) |
2922 | - crng_reseed(crng, crng == &primary_crng ? |
2923 | - &input_pool : NULL); |
2924 | - } |
2925 | - spin_lock_irqsave(&crng->lock, flags); |
2926 | - if (arch_get_random_long(&v)) |
2927 | - crng->state[14] ^= v; |
2928 | - chacha20_block(&crng->state[0], out); |
2929 | - if (crng->state[12] == 0) |
2930 | - crng->state[13]++; |
2931 | - spin_unlock_irqrestore(&crng->lock, flags); |
2932 | -} |
2933 | - |
2934 | -static void extract_crng(__u8 out[CHACHA_BLOCK_SIZE]) |
2935 | -{ |
2936 | - _extract_crng(select_crng(), out); |
2937 | + spin_lock_irqsave(&input_pool.lock, flags); |
2938 | + _mix_pool_bytes(buf, len); |
2939 | + spin_unlock_irqrestore(&input_pool.lock, flags); |
2940 | } |
2941 | |
2942 | /* |
2943 | - * Use the leftover bytes from the CRNG block output (if there is |
2944 | - * enough) to mutate the CRNG key to provide backtracking protection. |
2945 | + * This is an HKDF-like construction for using the hashed collected entropy |
2946 | + * as a PRF key, that's then expanded block-by-block. |
2947 | */ |
2948 | -static void _crng_backtrack_protect(struct crng_state *crng, |
2949 | - __u8 tmp[CHACHA_BLOCK_SIZE], int used) |
2950 | +static void extract_entropy(void *buf, size_t len) |
2951 | { |
2952 | - unsigned long flags; |
2953 | - __u32 *s, *d; |
2954 | - int i; |
2955 | - |
2956 | - used = round_up(used, sizeof(__u32)); |
2957 | - if (used + CHACHA_KEY_SIZE > CHACHA_BLOCK_SIZE) { |
2958 | - extract_crng(tmp); |
2959 | - used = 0; |
2960 | + unsigned long flags; |
2961 | + u8 seed[BLAKE2S_HASH_SIZE], next_key[BLAKE2S_HASH_SIZE]; |
2962 | + struct { |
2963 | + unsigned long rdseed[32 / sizeof(long)]; |
2964 | + size_t counter; |
2965 | + } block; |
2966 | + size_t i; |
2967 | + |
2968 | + for (i = 0; i < ARRAY_SIZE(block.rdseed); ++i) { |
2969 | + if (!arch_get_random_seed_long(&block.rdseed[i]) && |
2970 | + !arch_get_random_long(&block.rdseed[i])) |
2971 | + block.rdseed[i] = random_get_entropy(); |
2972 | } |
2973 | - spin_lock_irqsave(&crng->lock, flags); |
2974 | - s = (__u32 *) &tmp[used]; |
2975 | - d = &crng->state[4]; |
2976 | - for (i=0; i < 8; i++) |
2977 | - *d++ ^= *s++; |
2978 | - spin_unlock_irqrestore(&crng->lock, flags); |
2979 | -} |
2980 | |
2981 | -static void crng_backtrack_protect(__u8 tmp[CHACHA_BLOCK_SIZE], int used) |
2982 | -{ |
2983 | - _crng_backtrack_protect(select_crng(), tmp, used); |
2984 | -} |
2985 | + spin_lock_irqsave(&input_pool.lock, flags); |
2986 | |
2987 | -static ssize_t extract_crng_user(void __user *buf, size_t nbytes) |
2988 | -{ |
2989 | - ssize_t ret = 0, i = CHACHA_BLOCK_SIZE; |
2990 | - __u8 tmp[CHACHA_BLOCK_SIZE] __aligned(4); |
2991 | - int large_request = (nbytes > 256); |
2992 | - |
2993 | - while (nbytes) { |
2994 | - if (large_request && need_resched()) { |
2995 | - if (signal_pending(current)) { |
2996 | - if (ret == 0) |
2997 | - ret = -ERESTARTSYS; |
2998 | - break; |
2999 | - } |
3000 | - schedule(); |
3001 | - } |
3002 | + /* seed = HASHPRF(last_key, entropy_input) */ |
3003 | + blake2s_final(&input_pool.hash, seed); |
3004 | |
3005 | - extract_crng(tmp); |
3006 | - i = min_t(int, nbytes, CHACHA_BLOCK_SIZE); |
3007 | - if (copy_to_user(buf, tmp, i)) { |
3008 | - ret = -EFAULT; |
3009 | - break; |
3010 | - } |
3011 | + /* next_key = HASHPRF(seed, RDSEED || 0) */ |
3012 | + block.counter = 0; |
3013 | + blake2s(next_key, (u8 *)&block, seed, sizeof(next_key), sizeof(block), sizeof(seed)); |
3014 | + blake2s_init_key(&input_pool.hash, BLAKE2S_HASH_SIZE, next_key, sizeof(next_key)); |
3015 | |
3016 | - nbytes -= i; |
3017 | + spin_unlock_irqrestore(&input_pool.lock, flags); |
3018 | + memzero_explicit(next_key, sizeof(next_key)); |
3019 | + |
3020 | + while (len) { |
3021 | + i = min_t(size_t, len, BLAKE2S_HASH_SIZE); |
3022 | + /* output = HASHPRF(seed, RDSEED || ++counter) */ |
3023 | + ++block.counter; |
3024 | + blake2s(buf, (u8 *)&block, seed, i, sizeof(block), sizeof(seed)); |
3025 | + len -= i; |
3026 | buf += i; |
3027 | - ret += i; |
3028 | } |
3029 | - crng_backtrack_protect(tmp, i); |
3030 | - |
3031 | - /* Wipe data just written to memory */ |
3032 | - memzero_explicit(tmp, sizeof(tmp)); |
3033 | |
3034 | - return ret; |
3035 | + memzero_explicit(seed, sizeof(seed)); |
3036 | + memzero_explicit(&block, sizeof(block)); |
3037 | } |
3038 | |
3039 | +#define credit_init_bits(bits) if (!crng_ready()) _credit_init_bits(bits) |
3040 | |
3041 | -/********************************************************************* |
3042 | - * |
3043 | - * Entropy input management |
3044 | - * |
3045 | - *********************************************************************/ |
3046 | - |
3047 | -/* There is one of these per entropy source */ |
3048 | -struct timer_rand_state { |
3049 | - cycles_t last_time; |
3050 | - long last_delta, last_delta2; |
3051 | -}; |
3052 | - |
3053 | -#define INIT_TIMER_RAND_STATE { INITIAL_JIFFIES, }; |
3054 | - |
3055 | -/* |
3056 | - * Add device- or boot-specific data to the input pool to help |
3057 | - * initialize it. |
3058 | - * |
3059 | - * None of this adds any entropy; it is meant to avoid the problem of |
3060 | - * the entropy pool having similar initial state across largely |
3061 | - * identical devices. |
3062 | - */ |
3063 | -void add_device_randomness(const void *buf, unsigned int size) |
3064 | +static void __cold _credit_init_bits(size_t bits) |
3065 | { |
3066 | - unsigned long time = random_get_entropy() ^ jiffies; |
3067 | + unsigned int new, orig, add; |
3068 | unsigned long flags; |
3069 | |
3070 | - if (!crng_ready() && size) |
3071 | - crng_slow_load(buf, size); |
3072 | - |
3073 | - trace_add_device_randomness(size, _RET_IP_); |
3074 | - spin_lock_irqsave(&input_pool.lock, flags); |
3075 | - _mix_pool_bytes(&input_pool, buf, size); |
3076 | - _mix_pool_bytes(&input_pool, &time, sizeof(time)); |
3077 | - spin_unlock_irqrestore(&input_pool.lock, flags); |
3078 | -} |
3079 | -EXPORT_SYMBOL(add_device_randomness); |
3080 | - |
3081 | -static struct timer_rand_state input_timer_state = INIT_TIMER_RAND_STATE; |
3082 | - |
3083 | -/* |
3084 | - * This function adds entropy to the entropy "pool" by using timing |
3085 | - * delays. It uses the timer_rand_state structure to make an estimate |
3086 | - * of how many bits of entropy this call has added to the pool. |
3087 | - * |
3088 | - * The number "num" is also added to the pool - it should somehow describe |
3089 | - * the type of event which just happened. This is currently 0-255 for |
3090 | - * keyboard scan codes, and 256 upwards for interrupts. |
3091 | - * |
3092 | - */ |
3093 | -static void add_timer_randomness(struct timer_rand_state *state, unsigned num) |
3094 | -{ |
3095 | - struct entropy_store *r; |
3096 | - struct { |
3097 | - long jiffies; |
3098 | - unsigned cycles; |
3099 | - unsigned num; |
3100 | - } sample; |
3101 | - long delta, delta2, delta3; |
3102 | - |
3103 | - sample.jiffies = jiffies; |
3104 | - sample.cycles = random_get_entropy(); |
3105 | - sample.num = num; |
3106 | - r = &input_pool; |
3107 | - mix_pool_bytes(r, &sample, sizeof(sample)); |
3108 | - |
3109 | - /* |
3110 | - * Calculate number of bits of randomness we probably added. |
3111 | - * We take into account the first, second and third-order deltas |
3112 | - * in order to make our estimate. |
3113 | - */ |
3114 | - delta = sample.jiffies - READ_ONCE(state->last_time); |
3115 | - WRITE_ONCE(state->last_time, sample.jiffies); |
3116 | - |
3117 | - delta2 = delta - READ_ONCE(state->last_delta); |
3118 | - WRITE_ONCE(state->last_delta, delta); |
3119 | - |
3120 | - delta3 = delta2 - READ_ONCE(state->last_delta2); |
3121 | - WRITE_ONCE(state->last_delta2, delta2); |
3122 | - |
3123 | - if (delta < 0) |
3124 | - delta = -delta; |
3125 | - if (delta2 < 0) |
3126 | - delta2 = -delta2; |
3127 | - if (delta3 < 0) |
3128 | - delta3 = -delta3; |
3129 | - if (delta > delta2) |
3130 | - delta = delta2; |
3131 | - if (delta > delta3) |
3132 | - delta = delta3; |
3133 | - |
3134 | - /* |
3135 | - * delta is now minimum absolute delta. |
3136 | - * Round down by 1 bit on general principles, |
3137 | - * and limit entropy entimate to 12 bits. |
3138 | - */ |
3139 | - credit_entropy_bits(r, min_t(int, fls(delta>>1), 11)); |
3140 | -} |
3141 | - |
3142 | -void add_input_randomness(unsigned int type, unsigned int code, |
3143 | - unsigned int value) |
3144 | -{ |
3145 | - static unsigned char last_value; |
3146 | - |
3147 | - /* ignore autorepeat and the like */ |
3148 | - if (value == last_value) |
3149 | + if (!bits) |
3150 | return; |
3151 | |
3152 | - last_value = value; |
3153 | - add_timer_randomness(&input_timer_state, |
3154 | - (type << 4) ^ code ^ (code >> 4) ^ value); |
3155 | - trace_add_input_randomness(ENTROPY_BITS(&input_pool)); |
3156 | -} |
3157 | -EXPORT_SYMBOL_GPL(add_input_randomness); |
3158 | - |
3159 | -static DEFINE_PER_CPU(struct fast_pool, irq_randomness); |
3160 | - |
3161 | -#ifdef ADD_INTERRUPT_BENCH |
3162 | -static unsigned long avg_cycles, avg_deviation; |
3163 | - |
3164 | -#define AVG_SHIFT 8 /* Exponential average factor k=1/256 */ |
3165 | -#define FIXED_1_2 (1 << (AVG_SHIFT-1)) |
3166 | - |
3167 | -static void add_interrupt_bench(cycles_t start) |
3168 | -{ |
3169 | - long delta = random_get_entropy() - start; |
3170 | - |
3171 | - /* Use a weighted moving average */ |
3172 | - delta = delta - ((avg_cycles + FIXED_1_2) >> AVG_SHIFT); |
3173 | - avg_cycles += delta; |
3174 | - /* And average deviation */ |
3175 | - delta = abs(delta) - ((avg_deviation + FIXED_1_2) >> AVG_SHIFT); |
3176 | - avg_deviation += delta; |
3177 | -} |
3178 | -#else |
3179 | -#define add_interrupt_bench(x) |
3180 | -#endif |
3181 | - |
3182 | -static __u32 get_reg(struct fast_pool *f, struct pt_regs *regs) |
3183 | -{ |
3184 | - __u32 *ptr = (__u32 *) regs; |
3185 | - unsigned int idx; |
3186 | + add = min_t(size_t, bits, POOL_BITS); |
3187 | |
3188 | - if (regs == NULL) |
3189 | - return 0; |
3190 | - idx = READ_ONCE(f->reg_idx); |
3191 | - if (idx >= sizeof(struct pt_regs) / sizeof(__u32)) |
3192 | - idx = 0; |
3193 | - ptr += idx++; |
3194 | - WRITE_ONCE(f->reg_idx, idx); |
3195 | - return *ptr; |
3196 | -} |
3197 | + do { |
3198 | + orig = READ_ONCE(input_pool.init_bits); |
3199 | + new = min_t(unsigned int, POOL_BITS, orig + add); |
3200 | + } while (cmpxchg(&input_pool.init_bits, orig, new) != orig); |
3201 | |
3202 | -void add_interrupt_randomness(int irq, int irq_flags) |
3203 | -{ |
3204 | - struct entropy_store *r; |
3205 | - struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness); |
3206 | - struct pt_regs *regs = get_irq_regs(); |
3207 | - unsigned long now = jiffies; |
3208 | - cycles_t cycles = random_get_entropy(); |
3209 | - __u32 c_high, j_high; |
3210 | - __u64 ip; |
3211 | - unsigned long seed; |
3212 | - int credit = 0; |
3213 | - |
3214 | - if (cycles == 0) |
3215 | - cycles = get_reg(fast_pool, regs); |
3216 | - c_high = (sizeof(cycles) > 4) ? cycles >> 32 : 0; |
3217 | - j_high = (sizeof(now) > 4) ? now >> 32 : 0; |
3218 | - fast_pool->pool[0] ^= cycles ^ j_high ^ irq; |
3219 | - fast_pool->pool[1] ^= now ^ c_high; |
3220 | - ip = regs ? instruction_pointer(regs) : _RET_IP_; |
3221 | - fast_pool->pool[2] ^= ip; |
3222 | - fast_pool->pool[3] ^= (sizeof(ip) > 4) ? ip >> 32 : |
3223 | - get_reg(fast_pool, regs); |
3224 | - |
3225 | - fast_mix(fast_pool); |
3226 | - add_interrupt_bench(cycles); |
3227 | - |
3228 | - if (unlikely(crng_init == 0)) { |
3229 | - if ((fast_pool->count >= 64) && |
3230 | - crng_fast_load((char *) fast_pool->pool, |
3231 | - sizeof(fast_pool->pool)) > 0) { |
3232 | - fast_pool->count = 0; |
3233 | - fast_pool->last = now; |
3234 | + if (orig < POOL_READY_BITS && new >= POOL_READY_BITS) { |
3235 | + crng_reseed(); /* Sets crng_init to CRNG_READY under base_crng.lock. */ |
3236 | + process_random_ready_list(); |
3237 | + wake_up_interruptible(&crng_init_wait); |
3238 | + kill_fasync(&fasync, SIGIO, POLL_IN); |
3239 | + pr_notice("crng init done\n"); |
3240 | + if (urandom_warning.missed) |
3241 | + pr_notice("%d urandom warning(s) missed due to ratelimiting\n", |
3242 | + urandom_warning.missed); |
3243 | + } else if (orig < POOL_EARLY_BITS && new >= POOL_EARLY_BITS) { |
3244 | + spin_lock_irqsave(&base_crng.lock, flags); |
3245 | + /* Check if crng_init is CRNG_EMPTY, to avoid race with crng_reseed(). */ |
3246 | + if (crng_init == CRNG_EMPTY) { |
3247 | + extract_entropy(base_crng.key, sizeof(base_crng.key)); |
3248 | + crng_init = CRNG_EARLY; |
3249 | } |
3250 | - return; |
3251 | - } |
3252 | - |
3253 | - if ((fast_pool->count < 64) && |
3254 | - !time_after(now, fast_pool->last + HZ)) |
3255 | - return; |
3256 | - |
3257 | - r = &input_pool; |
3258 | - if (!spin_trylock(&r->lock)) |
3259 | - return; |
3260 | - |
3261 | - fast_pool->last = now; |
3262 | - __mix_pool_bytes(r, &fast_pool->pool, sizeof(fast_pool->pool)); |
3263 | - |
3264 | - /* |
3265 | - * If we have architectural seed generator, produce a seed and |
3266 | - * add it to the pool. For the sake of paranoia don't let the |
3267 | - * architectural seed generator dominate the input from the |
3268 | - * interrupt noise. |
3269 | - */ |
3270 | - if (arch_get_random_seed_long(&seed)) { |
3271 | - __mix_pool_bytes(r, &seed, sizeof(seed)); |
3272 | - credit = 1; |
3273 | + spin_unlock_irqrestore(&base_crng.lock, flags); |
3274 | } |
3275 | - spin_unlock(&r->lock); |
3276 | - |
3277 | - fast_pool->count = 0; |
3278 | - |
3279 | - /* award one bit for the contents of the fast pool */ |
3280 | - credit_entropy_bits(r, credit + 1); |
3281 | } |
3282 | -EXPORT_SYMBOL_GPL(add_interrupt_randomness); |
3283 | |
3284 | -#ifdef CONFIG_BLOCK |
3285 | -void add_disk_randomness(struct gendisk *disk) |
3286 | -{ |
3287 | - if (!disk || !disk->random) |
3288 | - return; |
3289 | - /* first major is 1, so we get >= 0x200 here */ |
3290 | - add_timer_randomness(disk->random, 0x100 + disk_devt(disk)); |
3291 | - trace_add_disk_randomness(disk_devt(disk), ENTROPY_BITS(&input_pool)); |
3292 | -} |
3293 | -EXPORT_SYMBOL_GPL(add_disk_randomness); |
3294 | -#endif |
3295 | |
3296 | -/********************************************************************* |
3297 | +/********************************************************************** |
3298 | * |
3299 | - * Entropy extraction routines |
3300 | + * Entropy collection routines. |
3301 | * |
3302 | - *********************************************************************/ |
3303 | - |
3304 | -/* |
3305 | - * This utility inline function is responsible for transferring entropy |
3306 | - * from the primary pool to the secondary extraction pool. We make |
3307 | - * sure we pull enough for a 'catastrophic reseed'. |
3308 | - */ |
3309 | -static void _xfer_secondary_pool(struct entropy_store *r, size_t nbytes); |
3310 | -static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes) |
3311 | -{ |
3312 | - if (!r->pull || |
3313 | - r->entropy_count >= (nbytes << (ENTROPY_SHIFT + 3)) || |
3314 | - r->entropy_count > r->poolinfo->poolfracbits) |
3315 | - return; |
3316 | - |
3317 | - _xfer_secondary_pool(r, nbytes); |
3318 | -} |
3319 | + * The following exported functions are used for pushing entropy into |
3320 | + * the above entropy accumulation routines: |
3321 | + * |
3322 | + * void add_device_randomness(const void *buf, size_t len); |
3323 | + * void add_hwgenerator_randomness(const void *buf, size_t len, size_t entropy); |
3324 | + * void add_bootloader_randomness(const void *buf, size_t len); |
3325 | + * void add_interrupt_randomness(int irq); |
3326 | + * void add_input_randomness(unsigned int type, unsigned int code, unsigned int value); |
3327 | + * void add_disk_randomness(struct gendisk *disk); |
3328 | + * |
3329 | + * add_device_randomness() adds data to the input pool that |
3330 | + * is likely to differ between two devices (or possibly even per boot). |
3331 | + * This would be things like MAC addresses or serial numbers, or the |
3332 | + * read-out of the RTC. This does *not* credit any actual entropy to |
3333 | + * the pool, but it initializes the pool to different values for devices |
3334 | + * that might otherwise be identical and have very little entropy |
3335 | + * available to them (particularly common in the embedded world). |
3336 | + * |
3337 | + * add_hwgenerator_randomness() is for true hardware RNGs, and will credit |
3338 | + * entropy as specified by the caller. If the entropy pool is full it will |
3339 | + * block until more entropy is needed. |
3340 | + * |
3341 | + * add_bootloader_randomness() is called by bootloader drivers, such as EFI |
3342 | + * and device tree, and credits its input depending on whether or not the |
3343 | + * configuration option CONFIG_RANDOM_TRUST_BOOTLOADER is set. |
3344 | + * |
3345 | + * add_interrupt_randomness() uses the interrupt timing as random |
3346 | + * inputs to the entropy pool. Using the cycle counters and the irq source |
3347 | + * as inputs, it feeds the input pool roughly once a second or after 64 |
3348 | + * interrupts, crediting 1 bit of entropy for whichever comes first. |
3349 | + * |
3350 | + * add_input_randomness() uses the input layer interrupt timing, as well |
3351 | + * as the event type information from the hardware. |
3352 | + * |
3353 | + * add_disk_randomness() uses what amounts to the seek time of block |
3354 | + * layer request events, on a per-disk_devt basis, as input to the |
3355 | + * entropy pool. Note that high-speed solid state drives with very low |
3356 | + * seek times do not make for good sources of entropy, as their seek |
3357 | + * times are usually fairly consistent. |
3358 | + * |
3359 | + * The last two routines try to estimate how many bits of entropy |
3360 | + * to credit. They do this by keeping track of the first and second |
3361 | + * order deltas of the event timings. |
3362 | + * |
3363 | + **********************************************************************/ |
3364 | |
3365 | -static void _xfer_secondary_pool(struct entropy_store *r, size_t nbytes) |
3366 | +static bool trust_cpu __initdata = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU); |
3367 | +static bool trust_bootloader __initdata = IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER); |
3368 | +static int __init parse_trust_cpu(char *arg) |
3369 | { |
3370 | - __u32 tmp[OUTPUT_POOL_WORDS]; |
3371 | - |
3372 | - int bytes = nbytes; |
3373 | - |
3374 | - /* pull at least as much as a wakeup */ |
3375 | - bytes = max_t(int, bytes, random_read_wakeup_bits / 8); |
3376 | - /* but never more than the buffer size */ |
3377 | - bytes = min_t(int, bytes, sizeof(tmp)); |
3378 | - |
3379 | - trace_xfer_secondary_pool(r->name, bytes * 8, nbytes * 8, |
3380 | - ENTROPY_BITS(r), ENTROPY_BITS(r->pull)); |
3381 | - bytes = extract_entropy(r->pull, tmp, bytes, |
3382 | - random_read_wakeup_bits / 8, 0); |
3383 | - mix_pool_bytes(r, tmp, bytes); |
3384 | - credit_entropy_bits(r, bytes*8); |
3385 | + return kstrtobool(arg, &trust_cpu); |
3386 | } |
3387 | - |
3388 | -/* |
3389 | - * Used as a workqueue function so that when the input pool is getting |
3390 | - * full, we can "spill over" some entropy to the output pools. That |
3391 | - * way the output pools can store some of the excess entropy instead |
3392 | - * of letting it go to waste. |
3393 | - */ |
3394 | -static void push_to_pool(struct work_struct *work) |
3395 | +static int __init parse_trust_bootloader(char *arg) |
3396 | { |
3397 | - struct entropy_store *r = container_of(work, struct entropy_store, |
3398 | - push_work); |
3399 | - BUG_ON(!r); |
3400 | - _xfer_secondary_pool(r, random_read_wakeup_bits/8); |
3401 | - trace_push_to_pool(r->name, r->entropy_count >> ENTROPY_SHIFT, |
3402 | - r->pull->entropy_count >> ENTROPY_SHIFT); |
3403 | + return kstrtobool(arg, &trust_bootloader); |
3404 | } |
3405 | +early_param("random.trust_cpu", parse_trust_cpu); |
3406 | +early_param("random.trust_bootloader", parse_trust_bootloader); |
3407 | |
3408 | /* |
3409 | - * This function decides how many bytes to actually take from the |
3410 | - * given pool, and also debits the entropy count accordingly. |
3411 | + * The first collection of entropy occurs at system boot while interrupts |
3412 | + * are still turned off. Here we push in latent entropy, RDSEED, a timestamp, |
3413 | + * utsname(), and the command line. Depending on the above configuration knob, |
3414 | + * RDSEED may be considered sufficient for initialization. Note that much |
3415 | + * earlier setup may already have pushed entropy into the input pool by the |
3416 | + * time we get here. |
3417 | */ |
3418 | -static size_t account(struct entropy_store *r, size_t nbytes, int min, |
3419 | - int reserved) |
3420 | +int __init random_init(const char *command_line) |
3421 | { |
3422 | - int entropy_count, orig, have_bytes; |
3423 | - size_t ibytes, nfrac; |
3424 | - |
3425 | - BUG_ON(r->entropy_count > r->poolinfo->poolfracbits); |
3426 | - |
3427 | - /* Can we pull enough? */ |
3428 | -retry: |
3429 | - entropy_count = orig = READ_ONCE(r->entropy_count); |
3430 | - ibytes = nbytes; |
3431 | - /* never pull more than available */ |
3432 | - have_bytes = entropy_count >> (ENTROPY_SHIFT + 3); |
3433 | - |
3434 | - if ((have_bytes -= reserved) < 0) |
3435 | - have_bytes = 0; |
3436 | - ibytes = min_t(size_t, ibytes, have_bytes); |
3437 | - if (ibytes < min) |
3438 | - ibytes = 0; |
3439 | - |
3440 | - if (unlikely(entropy_count < 0)) { |
3441 | - pr_warn("random: negative entropy count: pool %s count %d\n", |
3442 | - r->name, entropy_count); |
3443 | - WARN_ON(1); |
3444 | - entropy_count = 0; |
3445 | - } |
3446 | - nfrac = ibytes << (ENTROPY_SHIFT + 3); |
3447 | - if ((size_t) entropy_count > nfrac) |
3448 | - entropy_count -= nfrac; |
3449 | - else |
3450 | - entropy_count = 0; |
3451 | + ktime_t now = ktime_get_real(); |
3452 | + unsigned int i, arch_bits; |
3453 | + unsigned long entropy; |
3454 | |
3455 | - if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) |
3456 | - goto retry; |
3457 | +#if defined(LATENT_ENTROPY_PLUGIN) |
3458 | + static const u8 compiletime_seed[BLAKE2S_BLOCK_SIZE] __initconst __latent_entropy; |
3459 | + _mix_pool_bytes(compiletime_seed, sizeof(compiletime_seed)); |
3460 | +#endif |
3461 | |
3462 | - trace_debit_entropy(r->name, 8 * ibytes); |
3463 | - if (ibytes && |
3464 | - (r->entropy_count >> ENTROPY_SHIFT) < random_write_wakeup_bits) { |
3465 | - wake_up_interruptible(&random_write_wait); |
3466 | - kill_fasync(&fasync, SIGIO, POLL_OUT); |
3467 | + for (i = 0, arch_bits = BLAKE2S_BLOCK_SIZE * 8; |
3468 | + i < BLAKE2S_BLOCK_SIZE; i += sizeof(entropy)) { |
3469 | + if (!arch_get_random_seed_long_early(&entropy) && |
3470 | + !arch_get_random_long_early(&entropy)) { |
3471 | + entropy = random_get_entropy(); |
3472 | + arch_bits -= sizeof(entropy) * 8; |
3473 | + } |
3474 | + _mix_pool_bytes(&entropy, sizeof(entropy)); |
3475 | } |
3476 | + _mix_pool_bytes(&now, sizeof(now)); |
3477 | + _mix_pool_bytes(utsname(), sizeof(*(utsname()))); |
3478 | + _mix_pool_bytes(command_line, strlen(command_line)); |
3479 | + add_latent_entropy(); |
3480 | + |
3481 | + if (crng_ready()) |
3482 | + crng_reseed(); |
3483 | + else if (trust_cpu) |
3484 | + _credit_init_bits(arch_bits); |
3485 | |
3486 | - return ibytes; |
3487 | + return 0; |
3488 | } |
3489 | |
3490 | /* |
3491 | - * This function does the actual extraction for extract_entropy and |
3492 | - * extract_entropy_user. |
3493 | + * Add device- or boot-specific data to the input pool to help |
3494 | + * initialize it. |
3495 | * |
3496 | - * Note: we assume that .poolwords is a multiple of 16 words. |
3497 | + * None of this adds any entropy; it is meant to avoid the problem of |
3498 | + * the entropy pool having similar initial state across largely |
3499 | + * identical devices. |
3500 | */ |
3501 | -static void extract_buf(struct entropy_store *r, __u8 *out) |
3502 | -{ |
3503 | - int i; |
3504 | - union { |
3505 | - __u32 w[5]; |
3506 | - unsigned long l[LONGS(20)]; |
3507 | - } hash; |
3508 | - __u32 workspace[SHA_WORKSPACE_WORDS]; |
3509 | - unsigned long flags; |
3510 | - |
3511 | - /* |
3512 | - * If we have an architectural hardware random number |
3513 | - * generator, use it for SHA's initial vector |
3514 | - */ |
3515 | - sha_init(hash.w); |
3516 | - for (i = 0; i < LONGS(20); i++) { |
3517 | - unsigned long v; |
3518 | - if (!arch_get_random_long(&v)) |
3519 | - break; |
3520 | - hash.l[i] = v; |
3521 | - } |
3522 | - |
3523 | - /* Generate a hash across the pool, 16 words (512 bits) at a time */ |
3524 | - spin_lock_irqsave(&r->lock, flags); |
3525 | - for (i = 0; i < r->poolinfo->poolwords; i += 16) |
3526 | - sha_transform(hash.w, (__u8 *)(r->pool + i), workspace); |
3527 | - |
3528 | - /* |
3529 | - * We mix the hash back into the pool to prevent backtracking |
3530 | - * attacks (where the attacker knows the state of the pool |
3531 | - * plus the current outputs, and attempts to find previous |
3532 | - * ouputs), unless the hash function can be inverted. By |
3533 | - * mixing at least a SHA1 worth of hash data back, we make |
3534 | - * brute-forcing the feedback as hard as brute-forcing the |
3535 | - * hash. |
3536 | - */ |
3537 | - __mix_pool_bytes(r, hash.w, sizeof(hash.w)); |
3538 | - spin_unlock_irqrestore(&r->lock, flags); |
3539 | - |
3540 | - memzero_explicit(workspace, sizeof(workspace)); |
3541 | - |
3542 | - /* |
3543 | - * In case the hash function has some recognizable output |
3544 | - * pattern, we fold it in half. Thus, we always feed back |
3545 | - * twice as much data as we output. |
3546 | - */ |
3547 | - hash.w[0] ^= hash.w[3]; |
3548 | - hash.w[1] ^= hash.w[4]; |
3549 | - hash.w[2] ^= rol32(hash.w[2], 16); |
3550 | - |
3551 | - memcpy(out, &hash, EXTRACT_SIZE); |
3552 | - memzero_explicit(&hash, sizeof(hash)); |
3553 | -} |
3554 | - |
3555 | -static ssize_t _extract_entropy(struct entropy_store *r, void *buf, |
3556 | - size_t nbytes, int fips) |
3557 | +void add_device_randomness(const void *buf, size_t len) |
3558 | { |
3559 | - ssize_t ret = 0, i; |
3560 | - __u8 tmp[EXTRACT_SIZE]; |
3561 | + unsigned long entropy = random_get_entropy(); |
3562 | unsigned long flags; |
3563 | |
3564 | - while (nbytes) { |
3565 | - extract_buf(r, tmp); |
3566 | - |
3567 | - if (fips) { |
3568 | - spin_lock_irqsave(&r->lock, flags); |
3569 | - if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) |
3570 | - panic("Hardware RNG duplicated output!\n"); |
3571 | - memcpy(r->last_data, tmp, EXTRACT_SIZE); |
3572 | - spin_unlock_irqrestore(&r->lock, flags); |
3573 | - } |
3574 | - i = min_t(int, nbytes, EXTRACT_SIZE); |
3575 | - memcpy(buf, tmp, i); |
3576 | - nbytes -= i; |
3577 | - buf += i; |
3578 | - ret += i; |
3579 | - } |
3580 | - |
3581 | - /* Wipe data just returned from memory */ |
3582 | - memzero_explicit(tmp, sizeof(tmp)); |
3583 | - |
3584 | - return ret; |
3585 | + spin_lock_irqsave(&input_pool.lock, flags); |
3586 | + _mix_pool_bytes(&entropy, sizeof(entropy)); |
3587 | + _mix_pool_bytes(buf, len); |
3588 | + spin_unlock_irqrestore(&input_pool.lock, flags); |
3589 | } |
3590 | +EXPORT_SYMBOL(add_device_randomness); |
3591 | |
3592 | /* |
3593 | - * This function extracts randomness from the "entropy pool", and |
3594 | - * returns it in a buffer. |
3595 | - * |
3596 | - * The min parameter specifies the minimum amount we can pull before |
3597 | - * failing to avoid races that defeat catastrophic reseeding while the |
3598 | - * reserved parameter indicates how much entropy we must leave in the |
3599 | - * pool after each pull to avoid starving other readers. |
3600 | + * Interface for in-kernel drivers of true hardware RNGs. |
3601 | + * Those devices may produce endless random bits and will be throttled |
3602 | + * when our pool is full. |
3603 | */ |
3604 | -static ssize_t extract_entropy(struct entropy_store *r, void *buf, |
3605 | - size_t nbytes, int min, int reserved) |
3606 | +void add_hwgenerator_randomness(const void *buf, size_t len, size_t entropy) |
3607 | { |
3608 | - __u8 tmp[EXTRACT_SIZE]; |
3609 | - unsigned long flags; |
3610 | + mix_pool_bytes(buf, len); |
3611 | + credit_init_bits(entropy); |
3612 | |
3613 | - /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */ |
3614 | - if (fips_enabled) { |
3615 | - spin_lock_irqsave(&r->lock, flags); |
3616 | - if (!r->last_data_init) { |
3617 | - r->last_data_init = 1; |
3618 | - spin_unlock_irqrestore(&r->lock, flags); |
3619 | - trace_extract_entropy(r->name, EXTRACT_SIZE, |
3620 | - ENTROPY_BITS(r), _RET_IP_); |
3621 | - xfer_secondary_pool(r, EXTRACT_SIZE); |
3622 | - extract_buf(r, tmp); |
3623 | - spin_lock_irqsave(&r->lock, flags); |
3624 | - memcpy(r->last_data, tmp, EXTRACT_SIZE); |
3625 | - } |
3626 | - spin_unlock_irqrestore(&r->lock, flags); |
3627 | - } |
3628 | - |
3629 | - trace_extract_entropy(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_); |
3630 | - xfer_secondary_pool(r, nbytes); |
3631 | - nbytes = account(r, nbytes, min, reserved); |
3632 | - |
3633 | - return _extract_entropy(r, buf, nbytes, fips_enabled); |
3634 | + /* |
3635 | + * Throttle writing to once every CRNG_RESEED_INTERVAL, unless |
3636 | + * we're not yet initialized. |
3637 | + */ |
3638 | + if (!kthread_should_stop() && crng_ready()) |
3639 | + schedule_timeout_interruptible(CRNG_RESEED_INTERVAL); |
3640 | } |
3641 | +EXPORT_SYMBOL_GPL(add_hwgenerator_randomness); |
3642 | |
3643 | /* |
3644 | - * This function extracts randomness from the "entropy pool", and |
3645 | - * returns it in a userspace buffer. |
3646 | + * Handle random seed passed by bootloader, and credit it if |
3647 | + * CONFIG_RANDOM_TRUST_BOOTLOADER is set. |
3648 | */ |
3649 | -static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, |
3650 | - size_t nbytes) |
3651 | +void __init add_bootloader_randomness(const void *buf, size_t len) |
3652 | { |
3653 | - ssize_t ret = 0, i; |
3654 | - __u8 tmp[EXTRACT_SIZE]; |
3655 | - int large_request = (nbytes > 256); |
3656 | - |
3657 | - trace_extract_entropy_user(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_); |
3658 | - if (!r->initialized && r->pull) { |
3659 | - xfer_secondary_pool(r, ENTROPY_BITS(r->pull)/8); |
3660 | - if (!r->initialized) |
3661 | - return 0; |
3662 | - } |
3663 | - xfer_secondary_pool(r, nbytes); |
3664 | - nbytes = account(r, nbytes, 0, 0); |
3665 | - |
3666 | - while (nbytes) { |
3667 | - if (large_request && need_resched()) { |
3668 | - if (signal_pending(current)) { |
3669 | - if (ret == 0) |
3670 | - ret = -ERESTARTSYS; |
3671 | - break; |
3672 | - } |
3673 | - schedule(); |
3674 | - } |
3675 | - |
3676 | - extract_buf(r, tmp); |
3677 | - i = min_t(int, nbytes, EXTRACT_SIZE); |
3678 | - if (copy_to_user(buf, tmp, i)) { |
3679 | - ret = -EFAULT; |
3680 | - break; |
3681 | - } |
3682 | - |
3683 | - nbytes -= i; |
3684 | - buf += i; |
3685 | - ret += i; |
3686 | - } |
3687 | - |
3688 | - /* Wipe data just returned from memory */ |
3689 | - memzero_explicit(tmp, sizeof(tmp)); |
3690 | - |
3691 | - return ret; |
3692 | + mix_pool_bytes(buf, len); |
3693 | + if (trust_bootloader) |
3694 | + credit_init_bits(len * 8); |
3695 | } |
3696 | |
3697 | -#define warn_unseeded_randomness(previous) \ |
3698 | - _warn_unseeded_randomness(__func__, (void *) _RET_IP_, (previous)) |
3699 | +struct fast_pool { |
3700 | + struct work_struct mix; |
3701 | + unsigned long pool[4]; |
3702 | + unsigned long last; |
3703 | + unsigned int count; |
3704 | +}; |
3705 | |
3706 | -static void _warn_unseeded_randomness(const char *func_name, void *caller, |
3707 | - void **previous) |
3708 | -{ |
3709 | -#ifdef CONFIG_WARN_ALL_UNSEEDED_RANDOM |
3710 | - const bool print_once = false; |
3711 | +static DEFINE_PER_CPU(struct fast_pool, irq_randomness) = { |
3712 | +#ifdef CONFIG_64BIT |
3713 | +#define FASTMIX_PERM SIPHASH_PERMUTATION |
3714 | + .pool = { SIPHASH_CONST_0, SIPHASH_CONST_1, SIPHASH_CONST_2, SIPHASH_CONST_3 } |
3715 | #else |
3716 | - static bool print_once __read_mostly; |
3717 | +#define FASTMIX_PERM HSIPHASH_PERMUTATION |
3718 | + .pool = { HSIPHASH_CONST_0, HSIPHASH_CONST_1, HSIPHASH_CONST_2, HSIPHASH_CONST_3 } |
3719 | #endif |
3720 | - |
3721 | - if (print_once || |
3722 | - crng_ready() || |
3723 | - (previous && (caller == READ_ONCE(*previous)))) |
3724 | - return; |
3725 | - WRITE_ONCE(*previous, caller); |
3726 | -#ifndef CONFIG_WARN_ALL_UNSEEDED_RANDOM |
3727 | - print_once = true; |
3728 | -#endif |
3729 | - if (__ratelimit(&unseeded_warning)) |
3730 | - printk_deferred(KERN_NOTICE "random: %s called from %pS " |
3731 | - "with crng_init=%d\n", func_name, caller, |
3732 | - crng_init); |
3733 | -} |
3734 | +}; |
3735 | |
3736 | /* |
3737 | - * This function is the exported kernel interface. It returns some |
3738 | - * number of good random numbers, suitable for key generation, seeding |
3739 | - * TCP sequence numbers, etc. It does not rely on the hardware random |
3740 | - * number generator. For random bytes direct from the hardware RNG |
3741 | - * (when available), use get_random_bytes_arch(). In order to ensure |
3742 | - * that the randomness provided by this function is okay, the function |
3743 | - * wait_for_random_bytes() should be called and return 0 at least once |
3744 | - * at any point prior. |
3745 | + * This is [Half]SipHash-1-x, starting from an empty key. Because |
3746 | + * the key is fixed, it assumes that its inputs are non-malicious, |
3747 | + * and therefore this has no security on its own. s represents the |
3748 | + * four-word SipHash state, while v represents a two-word input. |
3749 | */ |
3750 | -static void _get_random_bytes(void *buf, int nbytes) |
3751 | -{ |
3752 | - __u8 tmp[CHACHA_BLOCK_SIZE] __aligned(4); |
3753 | - |
3754 | - trace_get_random_bytes(nbytes, _RET_IP_); |
3755 | - |
3756 | - while (nbytes >= CHACHA_BLOCK_SIZE) { |
3757 | - extract_crng(buf); |
3758 | - buf += CHACHA_BLOCK_SIZE; |
3759 | - nbytes -= CHACHA_BLOCK_SIZE; |
3760 | - } |
3761 | - |
3762 | - if (nbytes > 0) { |
3763 | - extract_crng(tmp); |
3764 | - memcpy(buf, tmp, nbytes); |
3765 | - crng_backtrack_protect(tmp, nbytes); |
3766 | - } else |
3767 | - crng_backtrack_protect(tmp, CHACHA_BLOCK_SIZE); |
3768 | - memzero_explicit(tmp, sizeof(tmp)); |
3769 | -} |
3770 | - |
3771 | -void get_random_bytes(void *buf, int nbytes) |
3772 | +static void fast_mix(unsigned long s[4], unsigned long v1, unsigned long v2) |
3773 | { |
3774 | - static void *previous; |
3775 | - |
3776 | - warn_unseeded_randomness(&previous); |
3777 | - _get_random_bytes(buf, nbytes); |
3778 | + s[3] ^= v1; |
3779 | + FASTMIX_PERM(s[0], s[1], s[2], s[3]); |
3780 | + s[0] ^= v1; |
3781 | + s[3] ^= v2; |
3782 | + FASTMIX_PERM(s[0], s[1], s[2], s[3]); |
3783 | + s[0] ^= v2; |
3784 | } |
3785 | -EXPORT_SYMBOL(get_random_bytes); |
3786 | - |
3787 | |
3788 | +#ifdef CONFIG_SMP |
3789 | /* |
3790 | - * Each time the timer fires, we expect that we got an unpredictable |
3791 | - * jump in the cycle counter. Even if the timer is running on another |
3792 | - * CPU, the timer activity will be touching the stack of the CPU that is |
3793 | - * generating entropy.. |
3794 | - * |
3795 | - * Note that we don't re-arm the timer in the timer itself - we are |
3796 | - * happy to be scheduled away, since that just makes the load more |
3797 | - * complex, but we do not want the timer to keep ticking unless the |
3798 | - * entropy loop is running. |
3799 | - * |
3800 | - * So the re-arming always happens in the entropy loop itself. |
3801 | + * This function is called when the CPU has just come online, with |
3802 | + * entry CPUHP_AP_RANDOM_ONLINE, just after CPUHP_AP_WORKQUEUE_ONLINE. |
3803 | */ |
3804 | -static void entropy_timer(struct timer_list *t) |
3805 | +int __cold random_online_cpu(unsigned int cpu) |
3806 | { |
3807 | - credit_entropy_bits(&input_pool, 1); |
3808 | + /* |
3809 | + * During CPU shutdown and before CPU onlining, add_interrupt_ |
3810 | + * randomness() may schedule mix_interrupt_randomness(), and |
3811 | + * set the MIX_INFLIGHT flag. However, because the worker can |
3812 | + * be scheduled on a different CPU during this period, that |
3813 | + * flag will never be cleared. For that reason, we zero out |
3814 | + * the flag here, which runs just after workqueues are onlined |
3815 | + * for the CPU again. This also has the effect of setting the |
3816 | + * irq randomness count to zero so that new accumulated irqs |
3817 | + * are fresh. |
3818 | + */ |
3819 | + per_cpu_ptr(&irq_randomness, cpu)->count = 0; |
3820 | + return 0; |
3821 | } |
3822 | +#endif |
3823 | |
3824 | -/* |
3825 | - * If we have an actual cycle counter, see if we can |
3826 | - * generate enough entropy with timing noise |
3827 | - */ |
3828 | -static void try_to_generate_entropy(void) |
3829 | +static void mix_interrupt_randomness(struct work_struct *work) |
3830 | { |
3831 | - struct { |
3832 | - unsigned long now; |
3833 | - struct timer_list timer; |
3834 | - } stack; |
3835 | - |
3836 | - stack.now = random_get_entropy(); |
3837 | + struct fast_pool *fast_pool = container_of(work, struct fast_pool, mix); |
3838 | + /* |
3839 | + * The size of the copied stack pool is explicitly 2 longs so that we |
3840 | + * only ever ingest half of the siphash output each time, retaining |
3841 | + * the other half as the next "key" that carries over. The entropy is |
3842 | + * supposed to be sufficiently dispersed between bits so on average |
3843 | + * we don't wind up "losing" some. |
3844 | + */ |
3845 | + unsigned long pool[2]; |
3846 | + unsigned int count; |
3847 | |
3848 | - /* Slow counter - or none. Don't even bother */ |
3849 | - if (stack.now == random_get_entropy()) |
3850 | + /* Check to see if we're running on the wrong CPU due to hotplug. */ |
3851 | + local_irq_disable(); |
3852 | + if (fast_pool != this_cpu_ptr(&irq_randomness)) { |
3853 | + local_irq_enable(); |
3854 | return; |
3855 | - |
3856 | - timer_setup_on_stack(&stack.timer, entropy_timer, 0); |
3857 | - while (!crng_ready()) { |
3858 | - if (!timer_pending(&stack.timer)) |
3859 | - mod_timer(&stack.timer, jiffies+1); |
3860 | - mix_pool_bytes(&input_pool, &stack.now, sizeof(stack.now)); |
3861 | - schedule(); |
3862 | - stack.now = random_get_entropy(); |
3863 | } |
3864 | |
3865 | - del_timer_sync(&stack.timer); |
3866 | - destroy_timer_on_stack(&stack.timer); |
3867 | - mix_pool_bytes(&input_pool, &stack.now, sizeof(stack.now)); |
3868 | -} |
3869 | - |
3870 | -/* |
3871 | - * Wait for the urandom pool to be seeded and thus guaranteed to supply |
3872 | - * cryptographically secure random numbers. This applies to: the /dev/urandom |
3873 | - * device, the get_random_bytes function, and the get_random_{u32,u64,int,long} |
3874 | - * family of functions. Using any of these functions without first calling |
3875 | - * this function forfeits the guarantee of security. |
3876 | - * |
3877 | - * Returns: 0 if the urandom pool has been seeded. |
3878 | - * -ERESTARTSYS if the function was interrupted by a signal. |
3879 | - */ |
3880 | -int wait_for_random_bytes(void) |
3881 | -{ |
3882 | - if (likely(crng_ready())) |
3883 | - return 0; |
3884 | - |
3885 | - do { |
3886 | - int ret; |
3887 | - ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ); |
3888 | - if (ret) |
3889 | - return ret > 0 ? 0 : ret; |
3890 | - |
3891 | - try_to_generate_entropy(); |
3892 | - } while (!crng_ready()); |
3893 | + /* |
3894 | + * Copy the pool to the stack so that the mixer always has a |
3895 | + * consistent view, before we reenable irqs again. |
3896 | + */ |
3897 | + memcpy(pool, fast_pool->pool, sizeof(pool)); |
3898 | + count = fast_pool->count; |
3899 | + fast_pool->count = 0; |
3900 | + fast_pool->last = jiffies; |
3901 | + local_irq_enable(); |
3902 | |
3903 | - return 0; |
3904 | -} |
3905 | -EXPORT_SYMBOL(wait_for_random_bytes); |
3906 | + mix_pool_bytes(pool, sizeof(pool)); |
3907 | + credit_init_bits(max(1u, (count & U16_MAX) / 64)); |
3908 | |
3909 | -/* |
3910 | - * Returns whether or not the urandom pool has been seeded and thus guaranteed |
3911 | - * to supply cryptographically secure random numbers. This applies to: the |
3912 | - * /dev/urandom device, the get_random_bytes function, and the get_random_{u32, |
3913 | - * ,u64,int,long} family of functions. |
3914 | - * |
3915 | - * Returns: true if the urandom pool has been seeded. |
3916 | - * false if the urandom pool has not been seeded. |
3917 | - */ |
3918 | -bool rng_is_initialized(void) |
3919 | -{ |
3920 | - return crng_ready(); |
3921 | + memzero_explicit(pool, sizeof(pool)); |
3922 | } |
3923 | -EXPORT_SYMBOL(rng_is_initialized); |
3924 | |
3925 | -/* |
3926 | - * Add a callback function that will be invoked when the nonblocking |
3927 | - * pool is initialised. |
3928 | - * |
3929 | - * returns: 0 if callback is successfully added |
3930 | - * -EALREADY if pool is already initialised (callback not called) |
3931 | - * -ENOENT if module for callback is not alive |
3932 | - */ |
3933 | -int add_random_ready_callback(struct random_ready_callback *rdy) |
3934 | +void add_interrupt_randomness(int irq) |
3935 | { |
3936 | - struct module *owner; |
3937 | - unsigned long flags; |
3938 | - int err = -EALREADY; |
3939 | - |
3940 | - if (crng_ready()) |
3941 | - return err; |
3942 | - |
3943 | - owner = rdy->owner; |
3944 | - if (!try_module_get(owner)) |
3945 | - return -ENOENT; |
3946 | - |
3947 | - spin_lock_irqsave(&random_ready_list_lock, flags); |
3948 | - if (crng_ready()) |
3949 | - goto out; |
3950 | - |
3951 | - owner = NULL; |
3952 | + enum { MIX_INFLIGHT = 1U << 31 }; |
3953 | + unsigned long entropy = random_get_entropy(); |
3954 | + struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness); |
3955 | + struct pt_regs *regs = get_irq_regs(); |
3956 | + unsigned int new_count; |
3957 | |
3958 | - list_add(&rdy->list, &random_ready_list); |
3959 | - err = 0; |
3960 | + fast_mix(fast_pool->pool, entropy, |
3961 | + (regs ? instruction_pointer(regs) : _RET_IP_) ^ swab(irq)); |
3962 | + new_count = ++fast_pool->count; |
3963 | |
3964 | -out: |
3965 | - spin_unlock_irqrestore(&random_ready_list_lock, flags); |
3966 | + if (new_count & MIX_INFLIGHT) |
3967 | + return; |
3968 | |
3969 | - module_put(owner); |
3970 | + if (new_count < 64 && !time_is_before_jiffies(fast_pool->last + HZ)) |
3971 | + return; |
3972 | |
3973 | - return err; |
3974 | + if (unlikely(!fast_pool->mix.func)) |
3975 | + INIT_WORK(&fast_pool->mix, mix_interrupt_randomness); |
3976 | + fast_pool->count |= MIX_INFLIGHT; |
3977 | + queue_work_on(raw_smp_processor_id(), system_highpri_wq, &fast_pool->mix); |
3978 | } |
3979 | -EXPORT_SYMBOL(add_random_ready_callback); |
3980 | +EXPORT_SYMBOL_GPL(add_interrupt_randomness); |
3981 | + |
3982 | +/* There is one of these per entropy source */ |
3983 | +struct timer_rand_state { |
3984 | + unsigned long last_time; |
3985 | + long last_delta, last_delta2; |
3986 | +}; |
3987 | |
3988 | /* |
3989 | - * Delete a previously registered readiness callback function. |
3990 | + * This function adds entropy to the entropy "pool" by using timing |
3991 | + * delays. It uses the timer_rand_state structure to make an estimate |
3992 | + * of how many bits of entropy this call has added to the pool. The |
3993 | + * value "num" is also added to the pool; it should somehow describe |
3994 | + * the type of event that just happened. |
3995 | */ |
3996 | -void del_random_ready_callback(struct random_ready_callback *rdy) |
3997 | +static void add_timer_randomness(struct timer_rand_state *state, unsigned int num) |
3998 | { |
3999 | - unsigned long flags; |
4000 | - struct module *owner = NULL; |
4001 | + unsigned long entropy = random_get_entropy(), now = jiffies, flags; |
4002 | + long delta, delta2, delta3; |
4003 | + unsigned int bits; |
4004 | |
4005 | - spin_lock_irqsave(&random_ready_list_lock, flags); |
4006 | - if (!list_empty(&rdy->list)) { |
4007 | - list_del_init(&rdy->list); |
4008 | - owner = rdy->owner; |
4009 | + /* |
4010 | + * If we're in a hard IRQ, add_interrupt_randomness() will be called |
4011 | + * sometime after, so mix into the fast pool. |
4012 | + */ |
4013 | + if (in_irq()) { |
4014 | + fast_mix(this_cpu_ptr(&irq_randomness)->pool, entropy, num); |
4015 | + } else { |
4016 | + spin_lock_irqsave(&input_pool.lock, flags); |
4017 | + _mix_pool_bytes(&entropy, sizeof(entropy)); |
4018 | + _mix_pool_bytes(&num, sizeof(num)); |
4019 | + spin_unlock_irqrestore(&input_pool.lock, flags); |
4020 | } |
4021 | - spin_unlock_irqrestore(&random_ready_list_lock, flags); |
4022 | |
4023 | - module_put(owner); |
4024 | -} |
4025 | -EXPORT_SYMBOL(del_random_ready_callback); |
4026 | + if (crng_ready()) |
4027 | + return; |
4028 | + |
4029 | + /* |
4030 | + * Calculate number of bits of randomness we probably added. |
4031 | + * We take into account the first, second and third-order deltas |
4032 | + * in order to make our estimate. |
4033 | + */ |
4034 | + delta = now - READ_ONCE(state->last_time); |
4035 | + WRITE_ONCE(state->last_time, now); |
4036 | |
4037 | -/* |
4038 | - * This function will use the architecture-specific hardware random |
4039 | - * number generator if it is available. The arch-specific hw RNG will |
4040 | - * almost certainly be faster than what we can do in software, but it |
4041 | - * is impossible to verify that it is implemented securely (as |
4042 | - * opposed, to, say, the AES encryption of a sequence number using a |
4043 | - * key known by the NSA). So it's useful if we need the speed, but |
4044 | - * only if we're willing to trust the hardware manufacturer not to |
4045 | - * have put in a back door. |
4046 | - * |
4047 | - * Return number of bytes filled in. |
4048 | - */ |
4049 | -int __must_check get_random_bytes_arch(void *buf, int nbytes) |
4050 | -{ |
4051 | - int left = nbytes; |
4052 | - char *p = buf; |
4053 | + delta2 = delta - READ_ONCE(state->last_delta); |
4054 | + WRITE_ONCE(state->last_delta, delta); |
4055 | |
4056 | - trace_get_random_bytes_arch(left, _RET_IP_); |
4057 | - while (left) { |
4058 | - unsigned long v; |
4059 | - int chunk = min_t(int, left, sizeof(unsigned long)); |
4060 | + delta3 = delta2 - READ_ONCE(state->last_delta2); |
4061 | + WRITE_ONCE(state->last_delta2, delta2); |
4062 | |
4063 | - if (!arch_get_random_long(&v)) |
4064 | - break; |
4065 | + if (delta < 0) |
4066 | + delta = -delta; |
4067 | + if (delta2 < 0) |
4068 | + delta2 = -delta2; |
4069 | + if (delta3 < 0) |
4070 | + delta3 = -delta3; |
4071 | + if (delta > delta2) |
4072 | + delta = delta2; |
4073 | + if (delta > delta3) |
4074 | + delta = delta3; |
4075 | |
4076 | - memcpy(p, &v, chunk); |
4077 | - p += chunk; |
4078 | - left -= chunk; |
4079 | - } |
4080 | + /* |
4081 | + * delta is now minimum absolute delta. Round down by 1 bit |
4082 | + * on general principles, and limit entropy estimate to 11 bits. |
4083 | + */ |
4084 | + bits = min(fls(delta >> 1), 11); |
4085 | |
4086 | - return nbytes - left; |
4087 | + /* |
4088 | + * As mentioned above, if we're in a hard IRQ, add_interrupt_randomness() |
4089 | + * will run after this, which uses a different crediting scheme of 1 bit |
4090 | + * per every 64 interrupts. In order to let that function do accounting |
4091 | + * close to the one in this function, we credit a full 64/64 bit per bit, |
4092 | + * and then subtract one to account for the extra one added. |
4093 | + */ |
4094 | + if (in_irq()) |
4095 | + this_cpu_ptr(&irq_randomness)->count += max(1u, bits * 64) - 1; |
4096 | + else |
4097 | + _credit_init_bits(bits); |
4098 | } |
4099 | -EXPORT_SYMBOL(get_random_bytes_arch); |
4100 | |
4101 | -/* |
4102 | - * init_std_data - initialize pool with system data |
4103 | - * |
4104 | - * @r: pool to initialize |
4105 | - * |
4106 | - * This function clears the pool's entropy count and mixes some system |
4107 | - * data into the pool to prepare it for use. The pool is not cleared |
4108 | - * as that can only decrease the entropy in the pool. |
4109 | - */ |
4110 | -static void __init init_std_data(struct entropy_store *r) |
4111 | +void add_input_randomness(unsigned int type, unsigned int code, unsigned int value) |
4112 | { |
4113 | - int i; |
4114 | - ktime_t now = ktime_get_real(); |
4115 | - unsigned long rv; |
4116 | - |
4117 | - r->last_pulled = jiffies; |
4118 | - mix_pool_bytes(r, &now, sizeof(now)); |
4119 | - for (i = r->poolinfo->poolbytes; i > 0; i -= sizeof(rv)) { |
4120 | - if (!arch_get_random_seed_long(&rv) && |
4121 | - !arch_get_random_long(&rv)) |
4122 | - rv = random_get_entropy(); |
4123 | - mix_pool_bytes(r, &rv, sizeof(rv)); |
4124 | - } |
4125 | - mix_pool_bytes(r, utsname(), sizeof(*(utsname()))); |
4126 | + static unsigned char last_value; |
4127 | + static struct timer_rand_state input_timer_state = { INITIAL_JIFFIES }; |
4128 | + |
4129 | + /* Ignore autorepeat and the like. */ |
4130 | + if (value == last_value) |
4131 | + return; |
4132 | + |
4133 | + last_value = value; |
4134 | + add_timer_randomness(&input_timer_state, |
4135 | + (type << 4) ^ code ^ (code >> 4) ^ value); |
4136 | } |
4137 | +EXPORT_SYMBOL_GPL(add_input_randomness); |
4138 | |
4139 | -/* |
4140 | - * Note that setup_arch() may call add_device_randomness() |
4141 | - * long before we get here. This allows seeding of the pools |
4142 | - * with some platform dependent data very early in the boot |
4143 | - * process. But it limits our options here. We must use |
4144 | - * statically allocated structures that already have all |
4145 | - * initializations complete at compile time. We should also |
4146 | - * take care not to overwrite the precious per platform data |
4147 | - * we were given. |
4148 | - */ |
4149 | -int __init rand_initialize(void) |
4150 | +#ifdef CONFIG_BLOCK |
4151 | +void add_disk_randomness(struct gendisk *disk) |
4152 | { |
4153 | - init_std_data(&input_pool); |
4154 | - init_std_data(&blocking_pool); |
4155 | - if (crng_need_final_init) |
4156 | - crng_finalize_init(&primary_crng); |
4157 | - crng_initialize(&primary_crng); |
4158 | - crng_global_init_time = jiffies; |
4159 | - if (ratelimit_disable) { |
4160 | - urandom_warning.interval = 0; |
4161 | - unseeded_warning.interval = 0; |
4162 | - } |
4163 | - return 0; |
4164 | + if (!disk || !disk->random) |
4165 | + return; |
4166 | + /* First major is 1, so we get >= 0x200 here. */ |
4167 | + add_timer_randomness(disk->random, 0x100 + disk_devt(disk)); |
4168 | } |
4169 | +EXPORT_SYMBOL_GPL(add_disk_randomness); |
4170 | |
4171 | -#ifdef CONFIG_BLOCK |
4172 | -void rand_initialize_disk(struct gendisk *disk) |
4173 | +void __cold rand_initialize_disk(struct gendisk *disk) |
4174 | { |
4175 | struct timer_rand_state *state; |
4176 | |
4177 | @@ -2006,134 +1126,189 @@ void rand_initialize_disk(struct gendisk *disk) |
4178 | } |
4179 | #endif |
4180 | |
4181 | -static ssize_t |
4182 | -_random_read(int nonblock, char __user *buf, size_t nbytes) |
4183 | +/* |
4184 | + * Each time the timer fires, we expect that we got an unpredictable |
4185 | + * jump in the cycle counter. Even if the timer is running on another |
4186 | + * CPU, the timer activity will be touching the stack of the CPU that is |
4187 | + * generating entropy.. |
4188 | + * |
4189 | + * Note that we don't re-arm the timer in the timer itself - we are |
4190 | + * happy to be scheduled away, since that just makes the load more |
4191 | + * complex, but we do not want the timer to keep ticking unless the |
4192 | + * entropy loop is running. |
4193 | + * |
4194 | + * So the re-arming always happens in the entropy loop itself. |
4195 | + */ |
4196 | +static void __cold entropy_timer(struct timer_list *t) |
4197 | +{ |
4198 | + credit_init_bits(1); |
4199 | +} |
4200 | + |
4201 | +/* |
4202 | + * If we have an actual cycle counter, see if we can |
4203 | + * generate enough entropy with timing noise |
4204 | + */ |
4205 | +static void __cold try_to_generate_entropy(void) |
4206 | { |
4207 | - ssize_t n; |
4208 | + struct { |
4209 | + unsigned long entropy; |
4210 | + struct timer_list timer; |
4211 | + } stack; |
4212 | |
4213 | - if (nbytes == 0) |
4214 | - return 0; |
4215 | + stack.entropy = random_get_entropy(); |
4216 | |
4217 | - nbytes = min_t(size_t, nbytes, SEC_XFER_SIZE); |
4218 | - while (1) { |
4219 | - n = extract_entropy_user(&blocking_pool, buf, nbytes); |
4220 | - if (n < 0) |
4221 | - return n; |
4222 | - trace_random_read(n*8, (nbytes-n)*8, |
4223 | - ENTROPY_BITS(&blocking_pool), |
4224 | - ENTROPY_BITS(&input_pool)); |
4225 | - if (n > 0) |
4226 | - return n; |
4227 | - |
4228 | - /* Pool is (near) empty. Maybe wait and retry. */ |
4229 | - if (nonblock) |
4230 | - return -EAGAIN; |
4231 | + /* Slow counter - or none. Don't even bother */ |
4232 | + if (stack.entropy == random_get_entropy()) |
4233 | + return; |
4234 | |
4235 | - wait_event_interruptible(random_read_wait, |
4236 | - blocking_pool.initialized && |
4237 | - (ENTROPY_BITS(&input_pool) >= random_read_wakeup_bits)); |
4238 | - if (signal_pending(current)) |
4239 | - return -ERESTARTSYS; |
4240 | + timer_setup_on_stack(&stack.timer, entropy_timer, 0); |
4241 | + while (!crng_ready() && !signal_pending(current)) { |
4242 | + if (!timer_pending(&stack.timer)) |
4243 | + mod_timer(&stack.timer, jiffies + 1); |
4244 | + mix_pool_bytes(&stack.entropy, sizeof(stack.entropy)); |
4245 | + schedule(); |
4246 | + stack.entropy = random_get_entropy(); |
4247 | } |
4248 | -} |
4249 | |
4250 | -static ssize_t |
4251 | -random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) |
4252 | -{ |
4253 | - return _random_read(file->f_flags & O_NONBLOCK, buf, nbytes); |
4254 | + del_timer_sync(&stack.timer); |
4255 | + destroy_timer_on_stack(&stack.timer); |
4256 | + mix_pool_bytes(&stack.entropy, sizeof(stack.entropy)); |
4257 | } |
4258 | |
4259 | -static ssize_t |
4260 | -urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) |
4261 | + |
4262 | +/********************************************************************** |
4263 | + * |
4264 | + * Userspace reader/writer interfaces. |
4265 | + * |
4266 | + * getrandom(2) is the primary modern interface into the RNG and should |
4267 | + * be used in preference to anything else. |
4268 | + * |
4269 | + * Reading from /dev/random has the same functionality as calling |
4270 | + * getrandom(2) with flags=0. In earlier versions, however, it had |
4271 | + * vastly different semantics and should therefore be avoided, to |
4272 | + * prevent backwards compatibility issues. |
4273 | + * |
4274 | + * Reading from /dev/urandom has the same functionality as calling |
4275 | + * getrandom(2) with flags=GRND_INSECURE. Because it does not block |
4276 | + * waiting for the RNG to be ready, it should not be used. |
4277 | + * |
4278 | + * Writing to either /dev/random or /dev/urandom adds entropy to |
4279 | + * the input pool but does not credit it. |
4280 | + * |
4281 | + * Polling on /dev/random indicates when the RNG is initialized, on |
4282 | + * the read side, and when it wants new entropy, on the write side. |
4283 | + * |
4284 | + * Both /dev/random and /dev/urandom have the same set of ioctls for |
4285 | + * adding entropy, getting the entropy count, zeroing the count, and |
4286 | + * reseeding the crng. |
4287 | + * |
4288 | + **********************************************************************/ |
4289 | + |
4290 | +SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags) |
4291 | { |
4292 | - unsigned long flags; |
4293 | - static int maxwarn = 10; |
4294 | + struct iov_iter iter; |
4295 | + struct iovec iov; |
4296 | int ret; |
4297 | |
4298 | - if (!crng_ready() && maxwarn > 0) { |
4299 | - maxwarn--; |
4300 | - if (__ratelimit(&urandom_warning)) |
4301 | - printk(KERN_NOTICE "random: %s: uninitialized " |
4302 | - "urandom read (%zd bytes read)\n", |
4303 | - current->comm, nbytes); |
4304 | - spin_lock_irqsave(&primary_crng.lock, flags); |
4305 | - crng_init_cnt = 0; |
4306 | - spin_unlock_irqrestore(&primary_crng.lock, flags); |
4307 | + if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE)) |
4308 | + return -EINVAL; |
4309 | + |
4310 | + /* |
4311 | + * Requesting insecure and blocking randomness at the same time makes |
4312 | + * no sense. |
4313 | + */ |
4314 | + if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM)) |
4315 | + return -EINVAL; |
4316 | + |
4317 | + if (!crng_ready() && !(flags & GRND_INSECURE)) { |
4318 | + if (flags & GRND_NONBLOCK) |
4319 | + return -EAGAIN; |
4320 | + ret = wait_for_random_bytes(); |
4321 | + if (unlikely(ret)) |
4322 | + return ret; |
4323 | } |
4324 | - nbytes = min_t(size_t, nbytes, INT_MAX >> (ENTROPY_SHIFT + 3)); |
4325 | - ret = extract_crng_user(buf, nbytes); |
4326 | - trace_urandom_read(8 * nbytes, 0, ENTROPY_BITS(&input_pool)); |
4327 | - return ret; |
4328 | + |
4329 | + ret = import_single_range(READ, ubuf, len, &iov, &iter); |
4330 | + if (unlikely(ret)) |
4331 | + return ret; |
4332 | + return get_random_bytes_user(&iter); |
4333 | } |
4334 | |
4335 | -static __poll_t |
4336 | -random_poll(struct file *file, poll_table * wait) |
4337 | +static __poll_t random_poll(struct file *file, poll_table *wait) |
4338 | { |
4339 | - __poll_t mask; |
4340 | - |
4341 | - poll_wait(file, &random_read_wait, wait); |
4342 | - poll_wait(file, &random_write_wait, wait); |
4343 | - mask = 0; |
4344 | - if (ENTROPY_BITS(&input_pool) >= random_read_wakeup_bits) |
4345 | - mask |= EPOLLIN | EPOLLRDNORM; |
4346 | - if (ENTROPY_BITS(&input_pool) < random_write_wakeup_bits) |
4347 | - mask |= EPOLLOUT | EPOLLWRNORM; |
4348 | - return mask; |
4349 | + poll_wait(file, &crng_init_wait, wait); |
4350 | + return crng_ready() ? EPOLLIN | EPOLLRDNORM : EPOLLOUT | EPOLLWRNORM; |
4351 | } |
4352 | |
4353 | -static int |
4354 | -write_pool(struct entropy_store *r, const char __user *buffer, size_t count) |
4355 | +static ssize_t write_pool_user(struct iov_iter *iter) |
4356 | { |
4357 | - size_t bytes; |
4358 | - __u32 t, buf[16]; |
4359 | - const char __user *p = buffer; |
4360 | + u8 block[BLAKE2S_BLOCK_SIZE]; |
4361 | + ssize_t ret = 0; |
4362 | + size_t copied; |
4363 | |
4364 | - while (count > 0) { |
4365 | - int b, i = 0; |
4366 | + if (unlikely(!iov_iter_count(iter))) |
4367 | + return 0; |
4368 | |
4369 | - bytes = min(count, sizeof(buf)); |
4370 | - if (copy_from_user(&buf, p, bytes)) |
4371 | - return -EFAULT; |
4372 | + for (;;) { |
4373 | + copied = copy_from_iter(block, sizeof(block), iter); |
4374 | + ret += copied; |
4375 | + mix_pool_bytes(block, copied); |
4376 | + if (!iov_iter_count(iter) || copied != sizeof(block)) |
4377 | + break; |
4378 | |
4379 | - for (b = bytes ; b > 0 ; b -= sizeof(__u32), i++) { |
4380 | - if (!arch_get_random_int(&t)) |
4381 | + BUILD_BUG_ON(PAGE_SIZE % sizeof(block) != 0); |
4382 | + if (ret % PAGE_SIZE == 0) { |
4383 | + if (signal_pending(current)) |
4384 | break; |
4385 | - buf[i] ^= t; |
4386 | + cond_resched(); |
4387 | } |
4388 | + } |
4389 | + |
4390 | + memzero_explicit(block, sizeof(block)); |
4391 | + return ret ? ret : -EFAULT; |
4392 | +} |
4393 | |
4394 | - count -= bytes; |
4395 | - p += bytes; |
4396 | +static ssize_t random_write_iter(struct kiocb *kiocb, struct iov_iter *iter) |
4397 | +{ |
4398 | + return write_pool_user(iter); |
4399 | +} |
4400 | + |
4401 | +static ssize_t urandom_read_iter(struct kiocb *kiocb, struct iov_iter *iter) |
4402 | +{ |
4403 | + static int maxwarn = 10; |
4404 | |
4405 | - mix_pool_bytes(r, buf, bytes); |
4406 | - cond_resched(); |
4407 | + if (!crng_ready()) { |
4408 | + if (!ratelimit_disable && maxwarn <= 0) |
4409 | + ++urandom_warning.missed; |
4410 | + else if (ratelimit_disable || __ratelimit(&urandom_warning)) { |
4411 | + --maxwarn; |
4412 | + pr_notice("%s: uninitialized urandom read (%zu bytes read)\n", |
4413 | + current->comm, iov_iter_count(iter)); |
4414 | + } |
4415 | } |
4416 | |
4417 | - return 0; |
4418 | + return get_random_bytes_user(iter); |
4419 | } |
4420 | |
4421 | -static ssize_t random_write(struct file *file, const char __user *buffer, |
4422 | - size_t count, loff_t *ppos) |
4423 | +static ssize_t random_read_iter(struct kiocb *kiocb, struct iov_iter *iter) |
4424 | { |
4425 | - size_t ret; |
4426 | + int ret; |
4427 | |
4428 | - ret = write_pool(&input_pool, buffer, count); |
4429 | - if (ret) |
4430 | + ret = wait_for_random_bytes(); |
4431 | + if (ret != 0) |
4432 | return ret; |
4433 | - |
4434 | - return (ssize_t)count; |
4435 | + return get_random_bytes_user(iter); |
4436 | } |
4437 | |
4438 | static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) |
4439 | { |
4440 | - int size, ent_count; |
4441 | int __user *p = (int __user *)arg; |
4442 | - int retval; |
4443 | + int ent_count; |
4444 | |
4445 | switch (cmd) { |
4446 | case RNDGETENTCNT: |
4447 | - /* inherently racy, no point locking */ |
4448 | - ent_count = ENTROPY_BITS(&input_pool); |
4449 | - if (put_user(ent_count, p)) |
4450 | + /* Inherently racy, no point locking. */ |
4451 | + if (put_user(input_pool.init_bits, p)) |
4452 | return -EFAULT; |
4453 | return 0; |
4454 | case RNDADDTOENTCNT: |
4455 | @@ -2141,39 +1316,48 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) |
4456 | return -EPERM; |
4457 | if (get_user(ent_count, p)) |
4458 | return -EFAULT; |
4459 | - return credit_entropy_bits_safe(&input_pool, ent_count); |
4460 | - case RNDADDENTROPY: |
4461 | + if (ent_count < 0) |
4462 | + return -EINVAL; |
4463 | + credit_init_bits(ent_count); |
4464 | + return 0; |
4465 | + case RNDADDENTROPY: { |
4466 | + struct iov_iter iter; |
4467 | + struct iovec iov; |
4468 | + ssize_t ret; |
4469 | + int len; |
4470 | + |
4471 | if (!capable(CAP_SYS_ADMIN)) |
4472 | return -EPERM; |
4473 | if (get_user(ent_count, p++)) |
4474 | return -EFAULT; |
4475 | if (ent_count < 0) |
4476 | return -EINVAL; |
4477 | - if (get_user(size, p++)) |
4478 | + if (get_user(len, p++)) |
4479 | + return -EFAULT; |
4480 | + ret = import_single_range(WRITE, p, len, &iov, &iter); |
4481 | + if (unlikely(ret)) |
4482 | + return ret; |
4483 | + ret = write_pool_user(&iter); |
4484 | + if (unlikely(ret < 0)) |
4485 | + return ret; |
4486 | + /* Since we're crediting, enforce that it was all written into the pool. */ |
4487 | + if (unlikely(ret != len)) |
4488 | return -EFAULT; |
4489 | - retval = write_pool(&input_pool, (const char __user *)p, |
4490 | - size); |
4491 | - if (retval < 0) |
4492 | - return retval; |
4493 | - return credit_entropy_bits_safe(&input_pool, ent_count); |
4494 | + credit_init_bits(ent_count); |
4495 | + return 0; |
4496 | + } |
4497 | case RNDZAPENTCNT: |
4498 | case RNDCLEARPOOL: |
4499 | - /* |
4500 | - * Clear the entropy pool counters. We no longer clear |
4501 | - * the entropy pool, as that's silly. |
4502 | - */ |
4503 | + /* No longer has any effect. */ |
4504 | if (!capable(CAP_SYS_ADMIN)) |
4505 | return -EPERM; |
4506 | - input_pool.entropy_count = 0; |
4507 | - blocking_pool.entropy_count = 0; |
4508 | return 0; |
4509 | case RNDRESEEDCRNG: |
4510 | if (!capable(CAP_SYS_ADMIN)) |
4511 | return -EPERM; |
4512 | - if (crng_init < 2) |
4513 | + if (!crng_ready()) |
4514 | return -ENODATA; |
4515 | - crng_reseed(&primary_crng, &input_pool); |
4516 | - WRITE_ONCE(crng_global_init_time, jiffies - 1); |
4517 | + crng_reseed(); |
4518 | return 0; |
4519 | default: |
4520 | return -EINVAL; |
4521 | @@ -2186,49 +1370,56 @@ static int random_fasync(int fd, struct file *filp, int on) |
4522 | } |
4523 | |
4524 | const struct file_operations random_fops = { |
4525 | - .read = random_read, |
4526 | - .write = random_write, |
4527 | - .poll = random_poll, |
4528 | + .read_iter = random_read_iter, |
4529 | + .write_iter = random_write_iter, |
4530 | + .poll = random_poll, |
4531 | .unlocked_ioctl = random_ioctl, |
4532 | + .compat_ioctl = compat_ptr_ioctl, |
4533 | .fasync = random_fasync, |
4534 | .llseek = noop_llseek, |
4535 | + .splice_read = generic_file_splice_read, |
4536 | + .splice_write = iter_file_splice_write, |
4537 | }; |
4538 | |
4539 | const struct file_operations urandom_fops = { |
4540 | - .read = urandom_read, |
4541 | - .write = random_write, |
4542 | + .read_iter = urandom_read_iter, |
4543 | + .write_iter = random_write_iter, |
4544 | .unlocked_ioctl = random_ioctl, |
4545 | + .compat_ioctl = compat_ptr_ioctl, |
4546 | .fasync = random_fasync, |
4547 | .llseek = noop_llseek, |
4548 | + .splice_read = generic_file_splice_read, |
4549 | + .splice_write = iter_file_splice_write, |
4550 | }; |
4551 | |
4552 | -SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, |
4553 | - unsigned int, flags) |
4554 | -{ |
4555 | - int ret; |
4556 | - |
4557 | - if (flags & ~(GRND_NONBLOCK|GRND_RANDOM)) |
4558 | - return -EINVAL; |
4559 | - |
4560 | - if (count > INT_MAX) |
4561 | - count = INT_MAX; |
4562 | - |
4563 | - if (flags & GRND_RANDOM) |
4564 | - return _random_read(flags & GRND_NONBLOCK, buf, count); |
4565 | - |
4566 | - if (!crng_ready()) { |
4567 | - if (flags & GRND_NONBLOCK) |
4568 | - return -EAGAIN; |
4569 | - ret = wait_for_random_bytes(); |
4570 | - if (unlikely(ret)) |
4571 | - return ret; |
4572 | - } |
4573 | - return urandom_read(NULL, buf, count, NULL); |
4574 | -} |
4575 | |
4576 | /******************************************************************** |
4577 | * |
4578 | - * Sysctl interface |
4579 | + * Sysctl interface. |
4580 | + * |
4581 | + * These are partly unused legacy knobs with dummy values to not break |
4582 | + * userspace and partly still useful things. They are usually accessible |
4583 | + * in /proc/sys/kernel/random/ and are as follows: |
4584 | + * |
4585 | + * - boot_id - a UUID representing the current boot. |
4586 | + * |
4587 | + * - uuid - a random UUID, different each time the file is read. |
4588 | + * |
4589 | + * - poolsize - the number of bits of entropy that the input pool can |
4590 | + * hold, tied to the POOL_BITS constant. |
4591 | + * |
4592 | + * - entropy_avail - the number of bits of entropy currently in the |
4593 | + * input pool. Always <= poolsize. |
4594 | + * |
4595 | + * - write_wakeup_threshold - the amount of entropy in the input pool |
4596 | + * below which write polls to /dev/random will unblock, requesting |
4597 | + * more entropy, tied to the POOL_READY_BITS constant. It is writable |
4598 | + * to avoid breaking old userspaces, but writing to it does not |
4599 | + * change any behavior of the RNG. |
4600 | + * |
4601 | + * - urandom_min_reseed_secs - fixed to the value CRNG_RESEED_INTERVAL. |
4602 | + * It is writable to avoid breaking old userspaces, but writing |
4603 | + * to it does not change any behavior of the RNG. |
4604 | * |
4605 | ********************************************************************/ |
4606 | |
4607 | @@ -2236,26 +1427,28 @@ SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, |
4608 | |
4609 | #include <linux/sysctl.h> |
4610 | |
4611 | -static int min_read_thresh = 8, min_write_thresh; |
4612 | -static int max_read_thresh = OUTPUT_POOL_WORDS * 32; |
4613 | -static int max_write_thresh = INPUT_POOL_WORDS * 32; |
4614 | -static int random_min_urandom_seed = 60; |
4615 | -static char sysctl_bootid[16]; |
4616 | +static int sysctl_random_min_urandom_seed = CRNG_RESEED_INTERVAL / HZ; |
4617 | +static int sysctl_random_write_wakeup_bits = POOL_READY_BITS; |
4618 | +static int sysctl_poolsize = POOL_BITS; |
4619 | +static u8 sysctl_bootid[UUID_SIZE]; |
4620 | |
4621 | /* |
4622 | * This function is used to return both the bootid UUID, and random |
4623 | - * UUID. The difference is in whether table->data is NULL; if it is, |
4624 | + * UUID. The difference is in whether table->data is NULL; if it is, |
4625 | * then a new UUID is generated and returned to the user. |
4626 | - * |
4627 | - * If the user accesses this via the proc interface, the UUID will be |
4628 | - * returned as an ASCII string in the standard UUID format; if via the |
4629 | - * sysctl system call, as 16 bytes of binary data. |
4630 | */ |
4631 | -static int proc_do_uuid(struct ctl_table *table, int write, |
4632 | - void __user *buffer, size_t *lenp, loff_t *ppos) |
4633 | -{ |
4634 | - struct ctl_table fake_table; |
4635 | - unsigned char buf[64], tmp_uuid[16], *uuid; |
4636 | +static int proc_do_uuid(struct ctl_table *table, int write, void __user *buf, |
4637 | + size_t *lenp, loff_t *ppos) |
4638 | +{ |
4639 | + u8 tmp_uuid[UUID_SIZE], *uuid; |
4640 | + char uuid_string[UUID_STRING_LEN + 1]; |
4641 | + struct ctl_table fake_table = { |
4642 | + .data = uuid_string, |
4643 | + .maxlen = UUID_STRING_LEN |
4644 | + }; |
4645 | + |
4646 | + if (write) |
4647 | + return -EPERM; |
4648 | |
4649 | uuid = table->data; |
4650 | if (!uuid) { |
4651 | @@ -2270,32 +1463,17 @@ static int proc_do_uuid(struct ctl_table *table, int write, |
4652 | spin_unlock(&bootid_spinlock); |
4653 | } |
4654 | |
4655 | - sprintf(buf, "%pU", uuid); |
4656 | - |
4657 | - fake_table.data = buf; |
4658 | - fake_table.maxlen = sizeof(buf); |
4659 | - |
4660 | - return proc_dostring(&fake_table, write, buffer, lenp, ppos); |
4661 | + snprintf(uuid_string, sizeof(uuid_string), "%pU", uuid); |
4662 | + return proc_dostring(&fake_table, 0, buf, lenp, ppos); |
4663 | } |
4664 | |
4665 | -/* |
4666 | - * Return entropy available scaled to integral bits |
4667 | - */ |
4668 | -static int proc_do_entropy(struct ctl_table *table, int write, |
4669 | - void __user *buffer, size_t *lenp, loff_t *ppos) |
4670 | +/* The same as proc_dointvec, but writes don't change anything. */ |
4671 | +static int proc_do_rointvec(struct ctl_table *table, int write, void __user *buf, |
4672 | + size_t *lenp, loff_t *ppos) |
4673 | { |
4674 | - struct ctl_table fake_table; |
4675 | - int entropy_count; |
4676 | - |
4677 | - entropy_count = *(int *)table->data >> ENTROPY_SHIFT; |
4678 | - |
4679 | - fake_table.data = &entropy_count; |
4680 | - fake_table.maxlen = sizeof(entropy_count); |
4681 | - |
4682 | - return proc_dointvec(&fake_table, write, buffer, lenp, ppos); |
4683 | + return write ? 0 : proc_dointvec(table, 0, buf, lenp, ppos); |
4684 | } |
4685 | |
4686 | -static int sysctl_poolsize = INPUT_POOL_WORDS * 32; |
4687 | extern struct ctl_table random_table[]; |
4688 | struct ctl_table random_table[] = { |
4689 | { |
4690 | @@ -2307,231 +1485,36 @@ struct ctl_table random_table[] = { |
4691 | }, |
4692 | { |
4693 | .procname = "entropy_avail", |
4694 | + .data = &input_pool.init_bits, |
4695 | .maxlen = sizeof(int), |
4696 | .mode = 0444, |
4697 | - .proc_handler = proc_do_entropy, |
4698 | - .data = &input_pool.entropy_count, |
4699 | - }, |
4700 | - { |
4701 | - .procname = "read_wakeup_threshold", |
4702 | - .data = &random_read_wakeup_bits, |
4703 | - .maxlen = sizeof(int), |
4704 | - .mode = 0644, |
4705 | - .proc_handler = proc_dointvec_minmax, |
4706 | - .extra1 = &min_read_thresh, |
4707 | - .extra2 = &max_read_thresh, |
4708 | + .proc_handler = proc_dointvec, |
4709 | }, |
4710 | { |
4711 | .procname = "write_wakeup_threshold", |
4712 | - .data = &random_write_wakeup_bits, |
4713 | + .data = &sysctl_random_write_wakeup_bits, |
4714 | .maxlen = sizeof(int), |
4715 | .mode = 0644, |
4716 | - .proc_handler = proc_dointvec_minmax, |
4717 | - .extra1 = &min_write_thresh, |
4718 | - .extra2 = &max_write_thresh, |
4719 | + .proc_handler = proc_do_rointvec, |
4720 | }, |
4721 | { |
4722 | .procname = "urandom_min_reseed_secs", |
4723 | - .data = &random_min_urandom_seed, |
4724 | + .data = &sysctl_random_min_urandom_seed, |
4725 | .maxlen = sizeof(int), |
4726 | .mode = 0644, |
4727 | - .proc_handler = proc_dointvec, |
4728 | + .proc_handler = proc_do_rointvec, |
4729 | }, |
4730 | { |
4731 | .procname = "boot_id", |
4732 | .data = &sysctl_bootid, |
4733 | - .maxlen = 16, |
4734 | .mode = 0444, |
4735 | .proc_handler = proc_do_uuid, |
4736 | }, |
4737 | { |
4738 | .procname = "uuid", |
4739 | - .maxlen = 16, |
4740 | .mode = 0444, |
4741 | .proc_handler = proc_do_uuid, |
4742 | }, |
4743 | -#ifdef ADD_INTERRUPT_BENCH |
4744 | - { |
4745 | - .procname = "add_interrupt_avg_cycles", |
4746 | - .data = &avg_cycles, |
4747 | - .maxlen = sizeof(avg_cycles), |
4748 | - .mode = 0444, |
4749 | - .proc_handler = proc_doulongvec_minmax, |
4750 | - }, |
4751 | - { |
4752 | - .procname = "add_interrupt_avg_deviation", |
4753 | - .data = &avg_deviation, |
4754 | - .maxlen = sizeof(avg_deviation), |
4755 | - .mode = 0444, |
4756 | - .proc_handler = proc_doulongvec_minmax, |
4757 | - }, |
4758 | -#endif |
4759 | { } |
4760 | }; |
4761 | -#endif /* CONFIG_SYSCTL */ |
4762 | - |
4763 | -struct batched_entropy { |
4764 | - union { |
4765 | - u64 entropy_u64[CHACHA_BLOCK_SIZE / sizeof(u64)]; |
4766 | - u32 entropy_u32[CHACHA_BLOCK_SIZE / sizeof(u32)]; |
4767 | - }; |
4768 | - unsigned int position; |
4769 | - spinlock_t batch_lock; |
4770 | -}; |
4771 | - |
4772 | -/* |
4773 | - * Get a random word for internal kernel use only. The quality of the random |
4774 | - * number is good as /dev/urandom, but there is no backtrack protection, with |
4775 | - * the goal of being quite fast and not depleting entropy. In order to ensure |
4776 | - * that the randomness provided by this function is okay, the function |
4777 | - * wait_for_random_bytes() should be called and return 0 at least once at any |
4778 | - * point prior. |
4779 | - */ |
4780 | -static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = { |
4781 | - .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u64.lock), |
4782 | -}; |
4783 | - |
4784 | -u64 get_random_u64(void) |
4785 | -{ |
4786 | - u64 ret; |
4787 | - unsigned long flags; |
4788 | - struct batched_entropy *batch; |
4789 | - static void *previous; |
4790 | - |
4791 | - warn_unseeded_randomness(&previous); |
4792 | - |
4793 | - batch = raw_cpu_ptr(&batched_entropy_u64); |
4794 | - spin_lock_irqsave(&batch->batch_lock, flags); |
4795 | - if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0) { |
4796 | - extract_crng((u8 *)batch->entropy_u64); |
4797 | - batch->position = 0; |
4798 | - } |
4799 | - ret = batch->entropy_u64[batch->position++]; |
4800 | - spin_unlock_irqrestore(&batch->batch_lock, flags); |
4801 | - return ret; |
4802 | -} |
4803 | -EXPORT_SYMBOL(get_random_u64); |
4804 | - |
4805 | -static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = { |
4806 | - .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u32.lock), |
4807 | -}; |
4808 | -u32 get_random_u32(void) |
4809 | -{ |
4810 | - u32 ret; |
4811 | - unsigned long flags; |
4812 | - struct batched_entropy *batch; |
4813 | - static void *previous; |
4814 | - |
4815 | - warn_unseeded_randomness(&previous); |
4816 | - |
4817 | - batch = raw_cpu_ptr(&batched_entropy_u32); |
4818 | - spin_lock_irqsave(&batch->batch_lock, flags); |
4819 | - if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0) { |
4820 | - extract_crng((u8 *)batch->entropy_u32); |
4821 | - batch->position = 0; |
4822 | - } |
4823 | - ret = batch->entropy_u32[batch->position++]; |
4824 | - spin_unlock_irqrestore(&batch->batch_lock, flags); |
4825 | - return ret; |
4826 | -} |
4827 | -EXPORT_SYMBOL(get_random_u32); |
4828 | - |
4829 | -/* It's important to invalidate all potential batched entropy that might |
4830 | - * be stored before the crng is initialized, which we can do lazily by |
4831 | - * simply resetting the counter to zero so that it's re-extracted on the |
4832 | - * next usage. */ |
4833 | -static void invalidate_batched_entropy(void) |
4834 | -{ |
4835 | - int cpu; |
4836 | - unsigned long flags; |
4837 | - |
4838 | - for_each_possible_cpu (cpu) { |
4839 | - struct batched_entropy *batched_entropy; |
4840 | - |
4841 | - batched_entropy = per_cpu_ptr(&batched_entropy_u32, cpu); |
4842 | - spin_lock_irqsave(&batched_entropy->batch_lock, flags); |
4843 | - batched_entropy->position = 0; |
4844 | - spin_unlock(&batched_entropy->batch_lock); |
4845 | - |
4846 | - batched_entropy = per_cpu_ptr(&batched_entropy_u64, cpu); |
4847 | - spin_lock(&batched_entropy->batch_lock); |
4848 | - batched_entropy->position = 0; |
4849 | - spin_unlock_irqrestore(&batched_entropy->batch_lock, flags); |
4850 | - } |
4851 | -} |
4852 | - |
4853 | -/** |
4854 | - * randomize_page - Generate a random, page aligned address |
4855 | - * @start: The smallest acceptable address the caller will take. |
4856 | - * @range: The size of the area, starting at @start, within which the |
4857 | - * random address must fall. |
4858 | - * |
4859 | - * If @start + @range would overflow, @range is capped. |
4860 | - * |
4861 | - * NOTE: Historical use of randomize_range, which this replaces, presumed that |
4862 | - * @start was already page aligned. We now align it regardless. |
4863 | - * |
4864 | - * Return: A page aligned address within [start, start + range). On error, |
4865 | - * @start is returned. |
4866 | - */ |
4867 | -unsigned long |
4868 | -randomize_page(unsigned long start, unsigned long range) |
4869 | -{ |
4870 | - if (!PAGE_ALIGNED(start)) { |
4871 | - range -= PAGE_ALIGN(start) - start; |
4872 | - start = PAGE_ALIGN(start); |
4873 | - } |
4874 | - |
4875 | - if (start > ULONG_MAX - range) |
4876 | - range = ULONG_MAX - start; |
4877 | - |
4878 | - range >>= PAGE_SHIFT; |
4879 | - |
4880 | - if (range == 0) |
4881 | - return start; |
4882 | - |
4883 | - return start + (get_random_long() % range << PAGE_SHIFT); |
4884 | -} |
4885 | - |
4886 | -/* Interface for in-kernel drivers of true hardware RNGs. |
4887 | - * Those devices may produce endless random bits and will be throttled |
4888 | - * when our pool is full. |
4889 | - */ |
4890 | -void add_hwgenerator_randomness(const char *buffer, size_t count, |
4891 | - size_t entropy) |
4892 | -{ |
4893 | - struct entropy_store *poolp = &input_pool; |
4894 | - |
4895 | - if (unlikely(crng_init == 0)) { |
4896 | - size_t ret = crng_fast_load(buffer, count); |
4897 | - count -= ret; |
4898 | - buffer += ret; |
4899 | - if (!count || crng_init == 0) |
4900 | - return; |
4901 | - } |
4902 | - |
4903 | - /* Suspend writing if we're above the trickle threshold. |
4904 | - * We'll be woken up again once below random_write_wakeup_thresh, |
4905 | - * or when the calling thread is about to terminate. |
4906 | - */ |
4907 | - wait_event_interruptible(random_write_wait, |
4908 | - !system_wq || kthread_should_stop() || |
4909 | - ENTROPY_BITS(&input_pool) <= random_write_wakeup_bits); |
4910 | - mix_pool_bytes(poolp, buffer, count); |
4911 | - credit_entropy_bits(poolp, entropy); |
4912 | -} |
4913 | -EXPORT_SYMBOL_GPL(add_hwgenerator_randomness); |
4914 | - |
4915 | -/* Handle random seed passed by bootloader. |
4916 | - * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise |
4917 | - * it would be regarded as device data. |
4918 | - * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER. |
4919 | - */ |
4920 | -void add_bootloader_randomness(const void *buf, unsigned int size) |
4921 | -{ |
4922 | - if (IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER)) |
4923 | - add_hwgenerator_randomness(buf, size, size * 8); |
4924 | - else |
4925 | - add_device_randomness(buf, size); |
4926 | -} |
4927 | -EXPORT_SYMBOL_GPL(add_bootloader_randomness); |
4928 | +#endif /* CONFIG_SYSCTL */ |
4929 | diff --git a/drivers/clocksource/hyperv_timer.c b/drivers/clocksource/hyperv_timer.c |
4930 | index 36933e2b3b0df..80b4b8fee54d5 100644 |
4931 | --- a/drivers/clocksource/hyperv_timer.c |
4932 | +++ b/drivers/clocksource/hyperv_timer.c |
4933 | @@ -325,4 +325,3 @@ void __init hv_init_clocksource(void) |
4934 | hv_sched_clock_offset = hyperv_cs->read(hyperv_cs); |
4935 | hv_setup_sched_clock(read_hv_sched_clock_msr); |
4936 | } |
4937 | -EXPORT_SYMBOL_GPL(hv_init_clocksource); |
4938 | diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c |
4939 | index 943654ded73d0..56918274c48cf 100644 |
4940 | --- a/drivers/hv/vmbus_drv.c |
4941 | +++ b/drivers/hv/vmbus_drv.c |
4942 | @@ -1303,7 +1303,7 @@ static void vmbus_isr(void) |
4943 | tasklet_schedule(&hv_cpu->msg_dpc); |
4944 | } |
4945 | |
4946 | - add_interrupt_randomness(HYPERVISOR_CALLBACK_VECTOR, 0); |
4947 | + add_interrupt_randomness(HYPERVISOR_CALLBACK_VECTOR); |
4948 | } |
4949 | |
4950 | /* |
4951 | diff --git a/drivers/i2c/busses/i2c-designware-common.c b/drivers/i2c/busses/i2c-designware-common.c |
4952 | index 2de7452fcd6d7..c9036675bd779 100644 |
4953 | --- a/drivers/i2c/busses/i2c-designware-common.c |
4954 | +++ b/drivers/i2c/busses/i2c-designware-common.c |
4955 | @@ -253,9 +253,6 @@ int i2c_dw_prepare_clk(struct dw_i2c_dev *dev, bool prepare) |
4956 | { |
4957 | int ret; |
4958 | |
4959 | - if (IS_ERR(dev->clk)) |
4960 | - return PTR_ERR(dev->clk); |
4961 | - |
4962 | if (prepare) { |
4963 | /* Optional interface clock */ |
4964 | ret = clk_prepare_enable(dev->pclk); |
4965 | diff --git a/drivers/i2c/busses/i2c-designware-platdrv.c b/drivers/i2c/busses/i2c-designware-platdrv.c |
4966 | index 0c55c54372d7e..75313c80f132f 100644 |
4967 | --- a/drivers/i2c/busses/i2c-designware-platdrv.c |
4968 | +++ b/drivers/i2c/busses/i2c-designware-platdrv.c |
4969 | @@ -349,8 +349,17 @@ static int dw_i2c_plat_probe(struct platform_device *pdev) |
4970 | goto exit_reset; |
4971 | } |
4972 | |
4973 | - dev->clk = devm_clk_get(&pdev->dev, NULL); |
4974 | - if (!i2c_dw_prepare_clk(dev, true)) { |
4975 | + dev->clk = devm_clk_get_optional(&pdev->dev, NULL); |
4976 | + if (IS_ERR(dev->clk)) { |
4977 | + ret = PTR_ERR(dev->clk); |
4978 | + goto exit_reset; |
4979 | + } |
4980 | + |
4981 | + ret = i2c_dw_prepare_clk(dev, true); |
4982 | + if (ret) |
4983 | + goto exit_reset; |
4984 | + |
4985 | + if (dev->clk) { |
4986 | u64 clk_khz; |
4987 | |
4988 | dev->get_clk_rate_khz = i2c_dw_get_clk_rate_khz; |
4989 | diff --git a/drivers/irqchip/irq-gic-realview.c b/drivers/irqchip/irq-gic-realview.c |
4990 | index b4c1924f02554..38fab02ffe9d0 100644 |
4991 | --- a/drivers/irqchip/irq-gic-realview.c |
4992 | +++ b/drivers/irqchip/irq-gic-realview.c |
4993 | @@ -57,6 +57,7 @@ realview_gic_of_init(struct device_node *node, struct device_node *parent) |
4994 | |
4995 | /* The PB11MPCore GIC needs to be configured in the syscon */ |
4996 | map = syscon_node_to_regmap(np); |
4997 | + of_node_put(np); |
4998 | if (!IS_ERR(map)) { |
4999 | /* new irq mode with no DCC */ |
5000 | regmap_write(map, REALVIEW_SYS_LOCK_OFFSET, |
5001 | diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c |
5002 | index f589ca2480a1d..77a130c032238 100644 |
5003 | --- a/drivers/irqchip/irq-gic-v3.c |
5004 | +++ b/drivers/irqchip/irq-gic-v3.c |
5005 | @@ -1616,7 +1616,7 @@ static void __init gic_populate_ppi_partitions(struct device_node *gic_node) |
5006 | |
5007 | gic_data.ppi_descs = kcalloc(gic_data.ppi_nr, sizeof(*gic_data.ppi_descs), GFP_KERNEL); |
5008 | if (!gic_data.ppi_descs) |
5009 | - return; |
5010 | + goto out_put_node; |
5011 | |
5012 | nr_parts = of_get_child_count(parts_node); |
5013 | |
5014 | @@ -1657,12 +1657,15 @@ static void __init gic_populate_ppi_partitions(struct device_node *gic_node) |
5015 | continue; |
5016 | |
5017 | cpu = of_cpu_node_to_id(cpu_node); |
5018 | - if (WARN_ON(cpu < 0)) |
5019 | + if (WARN_ON(cpu < 0)) { |
5020 | + of_node_put(cpu_node); |
5021 | continue; |
5022 | + } |
5023 | |
5024 | pr_cont("%pOF[%d] ", cpu_node, cpu); |
5025 | |
5026 | cpumask_set_cpu(cpu, &part->mask); |
5027 | + of_node_put(cpu_node); |
5028 | } |
5029 | |
5030 | pr_cont("}\n"); |
5031 | diff --git a/drivers/md/dm-log.c b/drivers/md/dm-log.c |
5032 | index 33e71ea6cc143..8b15f53cbdd95 100644 |
5033 | --- a/drivers/md/dm-log.c |
5034 | +++ b/drivers/md/dm-log.c |
5035 | @@ -415,8 +415,7 @@ static int create_log_context(struct dm_dirty_log *log, struct dm_target *ti, |
5036 | /* |
5037 | * Work out how many "unsigned long"s we need to hold the bitset. |
5038 | */ |
5039 | - bitset_size = dm_round_up(region_count, |
5040 | - sizeof(*lc->clean_bits) << BYTE_SHIFT); |
5041 | + bitset_size = dm_round_up(region_count, BITS_PER_LONG); |
5042 | bitset_size >>= BYTE_SHIFT; |
5043 | |
5044 | lc->bitset_uint32_count = bitset_size / sizeof(*lc->clean_bits); |
5045 | diff --git a/drivers/misc/atmel-ssc.c b/drivers/misc/atmel-ssc.c |
5046 | index d6cd5537126c6..69f9b0336410d 100644 |
5047 | --- a/drivers/misc/atmel-ssc.c |
5048 | +++ b/drivers/misc/atmel-ssc.c |
5049 | @@ -232,9 +232,9 @@ static int ssc_probe(struct platform_device *pdev) |
5050 | clk_disable_unprepare(ssc->clk); |
5051 | |
5052 | ssc->irq = platform_get_irq(pdev, 0); |
5053 | - if (!ssc->irq) { |
5054 | + if (ssc->irq < 0) { |
5055 | dev_dbg(&pdev->dev, "could not get irq\n"); |
5056 | - return -ENXIO; |
5057 | + return ssc->irq; |
5058 | } |
5059 | |
5060 | mutex_lock(&user_lock); |
5061 | diff --git a/drivers/net/ethernet/broadcom/bgmac-bcma.c b/drivers/net/ethernet/broadcom/bgmac-bcma.c |
5062 | index 34d18302b1a38..2d52754afc33a 100644 |
5063 | --- a/drivers/net/ethernet/broadcom/bgmac-bcma.c |
5064 | +++ b/drivers/net/ethernet/broadcom/bgmac-bcma.c |
5065 | @@ -323,7 +323,6 @@ static void bgmac_remove(struct bcma_device *core) |
5066 | bcma_mdio_mii_unregister(bgmac->mii_bus); |
5067 | bgmac_enet_remove(bgmac); |
5068 | bcma_set_drvdata(core, NULL); |
5069 | - kfree(bgmac); |
5070 | } |
5071 | |
5072 | static struct bcma_driver bgmac_bcma_driver = { |
5073 | diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c |
5074 | index 2cc4f63b1e910..689deecb4e1a3 100644 |
5075 | --- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c |
5076 | +++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c |
5077 | @@ -2578,15 +2578,16 @@ static void i40e_diag_test(struct net_device *netdev, |
5078 | |
5079 | set_bit(__I40E_TESTING, pf->state); |
5080 | |
5081 | + if (test_bit(__I40E_RESET_RECOVERY_PENDING, pf->state) || |
5082 | + test_bit(__I40E_RESET_INTR_RECEIVED, pf->state)) { |
5083 | + dev_warn(&pf->pdev->dev, |
5084 | + "Cannot start offline testing when PF is in reset state.\n"); |
5085 | + goto skip_ol_tests; |
5086 | + } |
5087 | + |
5088 | if (i40e_active_vfs(pf) || i40e_active_vmdqs(pf)) { |
5089 | dev_warn(&pf->pdev->dev, |
5090 | "Please take active VFs and Netqueues offline and restart the adapter before running NIC diagnostics\n"); |
5091 | - data[I40E_ETH_TEST_REG] = 1; |
5092 | - data[I40E_ETH_TEST_EEPROM] = 1; |
5093 | - data[I40E_ETH_TEST_INTR] = 1; |
5094 | - data[I40E_ETH_TEST_LINK] = 1; |
5095 | - eth_test->flags |= ETH_TEST_FL_FAILED; |
5096 | - clear_bit(__I40E_TESTING, pf->state); |
5097 | goto skip_ol_tests; |
5098 | } |
5099 | |
5100 | @@ -2633,9 +2634,17 @@ static void i40e_diag_test(struct net_device *netdev, |
5101 | data[I40E_ETH_TEST_INTR] = 0; |
5102 | } |
5103 | |
5104 | -skip_ol_tests: |
5105 | - |
5106 | netif_info(pf, drv, netdev, "testing finished\n"); |
5107 | + return; |
5108 | + |
5109 | +skip_ol_tests: |
5110 | + data[I40E_ETH_TEST_REG] = 1; |
5111 | + data[I40E_ETH_TEST_EEPROM] = 1; |
5112 | + data[I40E_ETH_TEST_INTR] = 1; |
5113 | + data[I40E_ETH_TEST_LINK] = 1; |
5114 | + eth_test->flags |= ETH_TEST_FL_FAILED; |
5115 | + clear_bit(__I40E_TESTING, pf->state); |
5116 | + netif_info(pf, drv, netdev, "testing failed\n"); |
5117 | } |
5118 | |
5119 | static void i40e_get_wol(struct net_device *netdev, |
5120 | diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c |
5121 | index 7f4aa22397867..05442bbc218cd 100644 |
5122 | --- a/drivers/net/ethernet/intel/i40e/i40e_main.c |
5123 | +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c |
5124 | @@ -8108,6 +8108,11 @@ static int i40e_configure_clsflower(struct i40e_vsi *vsi, |
5125 | return -EOPNOTSUPP; |
5126 | } |
5127 | |
5128 | + if (!tc) { |
5129 | + dev_err(&pf->pdev->dev, "Unable to add filter because of invalid destination"); |
5130 | + return -EINVAL; |
5131 | + } |
5132 | + |
5133 | if (test_bit(__I40E_RESET_RECOVERY_PENDING, pf->state) || |
5134 | test_bit(__I40E_RESET_INTR_RECEIVED, pf->state)) |
5135 | return -EBUSY; |
5136 | diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |
5137 | index 4962e6193eeca..4080fdacca4cc 100644 |
5138 | --- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |
5139 | +++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |
5140 | @@ -2149,7 +2149,7 @@ static int i40e_vc_config_queues_msg(struct i40e_vf *vf, u8 *msg) |
5141 | } |
5142 | |
5143 | if (vf->adq_enabled) { |
5144 | - for (i = 0; i < I40E_MAX_VF_VSI; i++) |
5145 | + for (i = 0; i < vf->num_tc; i++) |
5146 | num_qps_all += vf->ch[i].num_qps; |
5147 | if (num_qps_all != qci->num_queue_pairs) { |
5148 | aq_ret = I40E_ERR_PARAM; |
5149 | diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c |
5150 | index 5dce4cd60f58d..f9139150a8a26 100644 |
5151 | --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c |
5152 | +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c |
5153 | @@ -802,6 +802,17 @@ static inline void mtk_rx_get_desc(struct mtk_rx_dma *rxd, |
5154 | rxd->rxd4 = READ_ONCE(dma_rxd->rxd4); |
5155 | } |
5156 | |
5157 | +static void *mtk_max_lro_buf_alloc(gfp_t gfp_mask) |
5158 | +{ |
5159 | + unsigned int size = mtk_max_frag_size(MTK_MAX_LRO_RX_LENGTH); |
5160 | + unsigned long data; |
5161 | + |
5162 | + data = __get_free_pages(gfp_mask | __GFP_COMP | __GFP_NOWARN, |
5163 | + get_order(size)); |
5164 | + |
5165 | + return (void *)data; |
5166 | +} |
5167 | + |
5168 | /* the qdma core needs scratch memory to be setup */ |
5169 | static int mtk_init_fq_dma(struct mtk_eth *eth) |
5170 | { |
5171 | @@ -1299,7 +1310,10 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget, |
5172 | goto release_desc; |
5173 | |
5174 | /* alloc new buffer */ |
5175 | - new_data = napi_alloc_frag(ring->frag_size); |
5176 | + if (ring->frag_size <= PAGE_SIZE) |
5177 | + new_data = napi_alloc_frag(ring->frag_size); |
5178 | + else |
5179 | + new_data = mtk_max_lro_buf_alloc(GFP_ATOMIC); |
5180 | if (unlikely(!new_data)) { |
5181 | netdev->stats.rx_dropped++; |
5182 | goto release_desc; |
5183 | @@ -1696,7 +1710,10 @@ static int mtk_rx_alloc(struct mtk_eth *eth, int ring_no, int rx_flag) |
5184 | return -ENOMEM; |
5185 | |
5186 | for (i = 0; i < rx_dma_size; i++) { |
5187 | - ring->data[i] = netdev_alloc_frag(ring->frag_size); |
5188 | + if (ring->frag_size <= PAGE_SIZE) |
5189 | + ring->data[i] = netdev_alloc_frag(ring->frag_size); |
5190 | + else |
5191 | + ring->data[i] = mtk_max_lro_buf_alloc(GFP_KERNEL); |
5192 | if (!ring->data[i]) |
5193 | return -ENOMEM; |
5194 | } |
5195 | diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_cnt.h b/drivers/net/ethernet/mellanox/mlxsw/spectrum_cnt.h |
5196 | index 81465e267b100..b7eb3674e2856 100644 |
5197 | --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_cnt.h |
5198 | +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_cnt.h |
5199 | @@ -7,8 +7,8 @@ |
5200 | #include "spectrum.h" |
5201 | |
5202 | enum mlxsw_sp_counter_sub_pool_id { |
5203 | - MLXSW_SP_COUNTER_SUB_POOL_FLOW, |
5204 | MLXSW_SP_COUNTER_SUB_POOL_RIF, |
5205 | + MLXSW_SP_COUNTER_SUB_POOL_FLOW, |
5206 | }; |
5207 | |
5208 | int mlxsw_sp_counter_alloc(struct mlxsw_sp *mlxsw_sp, |
5209 | diff --git a/drivers/nfc/nfcmrvl/usb.c b/drivers/nfc/nfcmrvl/usb.c |
5210 | index 888e298f610b8..f26986eb53f19 100644 |
5211 | --- a/drivers/nfc/nfcmrvl/usb.c |
5212 | +++ b/drivers/nfc/nfcmrvl/usb.c |
5213 | @@ -401,13 +401,25 @@ static void nfcmrvl_play_deferred(struct nfcmrvl_usb_drv_data *drv_data) |
5214 | int err; |
5215 | |
5216 | while ((urb = usb_get_from_anchor(&drv_data->deferred))) { |
5217 | + usb_anchor_urb(urb, &drv_data->tx_anchor); |
5218 | + |
5219 | err = usb_submit_urb(urb, GFP_ATOMIC); |
5220 | - if (err) |
5221 | + if (err) { |
5222 | + kfree(urb->setup_packet); |
5223 | + usb_unanchor_urb(urb); |
5224 | + usb_free_urb(urb); |
5225 | break; |
5226 | + } |
5227 | |
5228 | drv_data->tx_in_flight++; |
5229 | + usb_free_urb(urb); |
5230 | + } |
5231 | + |
5232 | + /* Cleanup the rest deferred urbs. */ |
5233 | + while ((urb = usb_get_from_anchor(&drv_data->deferred))) { |
5234 | + kfree(urb->setup_packet); |
5235 | + usb_free_urb(urb); |
5236 | } |
5237 | - usb_scuttle_anchored_urbs(&drv_data->deferred); |
5238 | } |
5239 | |
5240 | static int nfcmrvl_resume(struct usb_interface *intf) |
5241 | diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c |
5242 | index ccaace2a5b0e5..d416365042462 100644 |
5243 | --- a/drivers/nfc/st21nfca/se.c |
5244 | +++ b/drivers/nfc/st21nfca/se.c |
5245 | @@ -304,6 +304,8 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host, |
5246 | int r = 0; |
5247 | struct device *dev = &hdev->ndev->dev; |
5248 | struct nfc_evt_transaction *transaction; |
5249 | + u32 aid_len; |
5250 | + u8 params_len; |
5251 | |
5252 | pr_debug("connectivity gate event: %x\n", event); |
5253 | |
5254 | @@ -312,51 +314,48 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host, |
5255 | r = nfc_se_connectivity(hdev->ndev, host); |
5256 | break; |
5257 | case ST21NFCA_EVT_TRANSACTION: |
5258 | - /* |
5259 | - * According to specification etsi 102 622 |
5260 | + /* According to specification etsi 102 622 |
5261 | * 11.2.2.4 EVT_TRANSACTION Table 52 |
5262 | * Description Tag Length |
5263 | * AID 81 5 to 16 |
5264 | * PARAMETERS 82 0 to 255 |
5265 | + * |
5266 | + * The key differences are aid storage length is variably sized |
5267 | + * in the packet, but fixed in nfc_evt_transaction, and that the aid_len |
5268 | + * is u8 in the packet, but u32 in the structure, and the tags in |
5269 | + * the packet are not included in nfc_evt_transaction. |
5270 | + * |
5271 | + * size in bytes: 1 1 5-16 1 1 0-255 |
5272 | + * offset: 0 1 2 aid_len + 2 aid_len + 3 aid_len + 4 |
5273 | + * member name: aid_tag(M) aid_len aid params_tag(M) params_len params |
5274 | + * example: 0x81 5-16 X 0x82 0-255 X |
5275 | */ |
5276 | - if (skb->len < NFC_MIN_AID_LENGTH + 2 || |
5277 | - skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) |
5278 | + if (skb->len < 2 || skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) |
5279 | return -EPROTO; |
5280 | |
5281 | - transaction = (struct nfc_evt_transaction *)devm_kzalloc(dev, |
5282 | - skb->len - 2, GFP_KERNEL); |
5283 | - if (!transaction) |
5284 | - return -ENOMEM; |
5285 | - |
5286 | - transaction->aid_len = skb->data[1]; |
5287 | + aid_len = skb->data[1]; |
5288 | |
5289 | - /* Checking if the length of the AID is valid */ |
5290 | - if (transaction->aid_len > sizeof(transaction->aid)) { |
5291 | - devm_kfree(dev, transaction); |
5292 | - return -EINVAL; |
5293 | - } |
5294 | + if (skb->len < aid_len + 4 || aid_len > sizeof(transaction->aid)) |
5295 | + return -EPROTO; |
5296 | |
5297 | - memcpy(transaction->aid, &skb->data[2], |
5298 | - transaction->aid_len); |
5299 | + params_len = skb->data[aid_len + 3]; |
5300 | |
5301 | - /* Check next byte is PARAMETERS tag (82) */ |
5302 | - if (skb->data[transaction->aid_len + 2] != |
5303 | - NFC_EVT_TRANSACTION_PARAMS_TAG) { |
5304 | - devm_kfree(dev, transaction); |
5305 | + /* Verify PARAMETERS tag is (82), and final check that there is enough |
5306 | + * space in the packet to read everything. |
5307 | + */ |
5308 | + if ((skb->data[aid_len + 2] != NFC_EVT_TRANSACTION_PARAMS_TAG) || |
5309 | + (skb->len < aid_len + 4 + params_len)) |
5310 | return -EPROTO; |
5311 | - } |
5312 | |
5313 | - transaction->params_len = skb->data[transaction->aid_len + 3]; |
5314 | + transaction = devm_kzalloc(dev, sizeof(*transaction) + params_len, GFP_KERNEL); |
5315 | + if (!transaction) |
5316 | + return -ENOMEM; |
5317 | |
5318 | - /* Total size is allocated (skb->len - 2) minus fixed array members */ |
5319 | - if (transaction->params_len > ((skb->len - 2) - |
5320 | - sizeof(struct nfc_evt_transaction))) { |
5321 | - devm_kfree(dev, transaction); |
5322 | - return -EINVAL; |
5323 | - } |
5324 | + transaction->aid_len = aid_len; |
5325 | + transaction->params_len = params_len; |
5326 | |
5327 | - memcpy(transaction->params, skb->data + |
5328 | - transaction->aid_len + 4, transaction->params_len); |
5329 | + memcpy(transaction->aid, &skb->data[2], aid_len); |
5330 | + memcpy(transaction->params, &skb->data[aid_len + 4], params_len); |
5331 | |
5332 | r = nfc_se_transaction(hdev->ndev, host, transaction); |
5333 | break; |
5334 | diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c |
5335 | index 7a57b61f0340e..a163fd9331b3c 100644 |
5336 | --- a/drivers/scsi/ipr.c |
5337 | +++ b/drivers/scsi/ipr.c |
5338 | @@ -9772,7 +9772,7 @@ static int ipr_alloc_mem(struct ipr_ioa_cfg *ioa_cfg) |
5339 | GFP_KERNEL); |
5340 | |
5341 | if (!ioa_cfg->hrrq[i].host_rrq) { |
5342 | - while (--i > 0) |
5343 | + while (--i >= 0) |
5344 | dma_free_coherent(&pdev->dev, |
5345 | sizeof(u32) * ioa_cfg->hrrq[i].size, |
5346 | ioa_cfg->hrrq[i].host_rrq, |
5347 | @@ -10045,7 +10045,7 @@ static int ipr_request_other_msi_irqs(struct ipr_ioa_cfg *ioa_cfg, |
5348 | ioa_cfg->vectors_info[i].desc, |
5349 | &ioa_cfg->hrrq[i]); |
5350 | if (rc) { |
5351 | - while (--i >= 0) |
5352 | + while (--i > 0) |
5353 | free_irq(pci_irq_vector(pdev, i), |
5354 | &ioa_cfg->hrrq[i]); |
5355 | return rc; |
5356 | diff --git a/drivers/scsi/lpfc/lpfc_hw4.h b/drivers/scsi/lpfc/lpfc_hw4.h |
5357 | index b8a772f80d6c5..cbea3e0c1a7d8 100644 |
5358 | --- a/drivers/scsi/lpfc/lpfc_hw4.h |
5359 | +++ b/drivers/scsi/lpfc/lpfc_hw4.h |
5360 | @@ -4249,6 +4249,9 @@ struct wqe_common { |
5361 | #define wqe_sup_SHIFT 6 |
5362 | #define wqe_sup_MASK 0x00000001 |
5363 | #define wqe_sup_WORD word11 |
5364 | +#define wqe_ffrq_SHIFT 6 |
5365 | +#define wqe_ffrq_MASK 0x00000001 |
5366 | +#define wqe_ffrq_WORD word11 |
5367 | #define wqe_wqec_SHIFT 7 |
5368 | #define wqe_wqec_MASK 0x00000001 |
5369 | #define wqe_wqec_WORD word11 |
5370 | diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c |
5371 | index df2f7c3d7f845..e6a94f550a572 100644 |
5372 | --- a/drivers/scsi/lpfc/lpfc_nportdisc.c |
5373 | +++ b/drivers/scsi/lpfc/lpfc_nportdisc.c |
5374 | @@ -842,7 +842,8 @@ lpfc_rcv_logo(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, |
5375 | else |
5376 | lpfc_els_rsp_acc(vport, ELS_CMD_ACC, cmdiocb, ndlp, NULL); |
5377 | if (ndlp->nlp_DID == Fabric_DID) { |
5378 | - if (vport->port_state <= LPFC_FDISC) |
5379 | + if (vport->port_state <= LPFC_FDISC || |
5380 | + vport->fc_flag & FC_PT2PT) |
5381 | goto out; |
5382 | lpfc_linkdown_port(vport); |
5383 | spin_lock_irq(shost->host_lock); |
5384 | diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c |
5385 | index 5a86a1ee0de3b..193c1a81cac01 100644 |
5386 | --- a/drivers/scsi/lpfc/lpfc_nvme.c |
5387 | +++ b/drivers/scsi/lpfc/lpfc_nvme.c |
5388 | @@ -1202,7 +1202,8 @@ lpfc_nvme_prep_io_cmd(struct lpfc_vport *vport, |
5389 | { |
5390 | struct lpfc_hba *phba = vport->phba; |
5391 | struct nvmefc_fcp_req *nCmd = lpfc_ncmd->nvmeCmd; |
5392 | - struct lpfc_iocbq *pwqeq = &(lpfc_ncmd->cur_iocbq); |
5393 | + struct nvme_common_command *sqe; |
5394 | + struct lpfc_iocbq *pwqeq = &lpfc_ncmd->cur_iocbq; |
5395 | union lpfc_wqe128 *wqe = &pwqeq->wqe; |
5396 | uint32_t req_len; |
5397 | |
5398 | @@ -1258,8 +1259,14 @@ lpfc_nvme_prep_io_cmd(struct lpfc_vport *vport, |
5399 | cstat->control_requests++; |
5400 | } |
5401 | |
5402 | - if (pnode->nlp_nvme_info & NLP_NVME_NSLER) |
5403 | + if (pnode->nlp_nvme_info & NLP_NVME_NSLER) { |
5404 | bf_set(wqe_erp, &wqe->generic.wqe_com, 1); |
5405 | + sqe = &((struct nvme_fc_cmd_iu *) |
5406 | + nCmd->cmdaddr)->sqe.common; |
5407 | + if (sqe->opcode == nvme_admin_async_event) |
5408 | + bf_set(wqe_ffrq, &wqe->generic.wqe_com, 1); |
5409 | + } |
5410 | + |
5411 | /* |
5412 | * Finish initializing those WQE fields that are independent |
5413 | * of the nvme_cmnd request_buffer |
5414 | diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c |
5415 | index 398d2af60832c..f95a970db8fdb 100644 |
5416 | --- a/drivers/scsi/pmcraid.c |
5417 | +++ b/drivers/scsi/pmcraid.c |
5418 | @@ -4532,7 +4532,7 @@ pmcraid_register_interrupt_handler(struct pmcraid_instance *pinstance) |
5419 | return 0; |
5420 | |
5421 | out_unwind: |
5422 | - while (--i > 0) |
5423 | + while (--i >= 0) |
5424 | free_irq(pci_irq_vector(pdev, i), &pinstance->hrrq_vector[i]); |
5425 | pci_free_irq_vectors(pdev); |
5426 | return rc; |
5427 | diff --git a/drivers/scsi/vmw_pvscsi.h b/drivers/scsi/vmw_pvscsi.h |
5428 | index 75966d3f326e0..d87c12324c032 100644 |
5429 | --- a/drivers/scsi/vmw_pvscsi.h |
5430 | +++ b/drivers/scsi/vmw_pvscsi.h |
5431 | @@ -333,8 +333,8 @@ struct PVSCSIRingReqDesc { |
5432 | u8 tag; |
5433 | u8 bus; |
5434 | u8 target; |
5435 | - u8 vcpuHint; |
5436 | - u8 unused[59]; |
5437 | + u16 vcpuHint; |
5438 | + u8 unused[58]; |
5439 | } __packed; |
5440 | |
5441 | /* |
5442 | diff --git a/drivers/staging/comedi/drivers/vmk80xx.c b/drivers/staging/comedi/drivers/vmk80xx.c |
5443 | index 7769eadfaf61d..ccc65cfc519f5 100644 |
5444 | --- a/drivers/staging/comedi/drivers/vmk80xx.c |
5445 | +++ b/drivers/staging/comedi/drivers/vmk80xx.c |
5446 | @@ -685,7 +685,7 @@ static int vmk80xx_alloc_usb_buffers(struct comedi_device *dev) |
5447 | if (!devpriv->usb_rx_buf) |
5448 | return -ENOMEM; |
5449 | |
5450 | - size = max(usb_endpoint_maxp(devpriv->ep_rx), MIN_BUF_SIZE); |
5451 | + size = max(usb_endpoint_maxp(devpriv->ep_tx), MIN_BUF_SIZE); |
5452 | devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); |
5453 | if (!devpriv->usb_tx_buf) |
5454 | return -ENOMEM; |
5455 | diff --git a/drivers/tty/goldfish.c b/drivers/tty/goldfish.c |
5456 | index abc84d84f6386..9180ca5e4dcd4 100644 |
5457 | --- a/drivers/tty/goldfish.c |
5458 | +++ b/drivers/tty/goldfish.c |
5459 | @@ -428,7 +428,7 @@ static int goldfish_tty_remove(struct platform_device *pdev) |
5460 | tty_unregister_device(goldfish_tty_driver, qtty->console.index); |
5461 | iounmap(qtty->base); |
5462 | qtty->base = NULL; |
5463 | - free_irq(qtty->irq, pdev); |
5464 | + free_irq(qtty->irq, qtty); |
5465 | tty_port_destroy(&qtty->port); |
5466 | goldfish_tty_current_line_count--; |
5467 | if (goldfish_tty_current_line_count == 0) |
5468 | diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c |
5469 | index c1891c55897ad..cb975228726e0 100644 |
5470 | --- a/drivers/tty/serial/8250/8250_port.c |
5471 | +++ b/drivers/tty/serial/8250/8250_port.c |
5472 | @@ -1476,6 +1476,8 @@ static inline void __stop_tx(struct uart_8250_port *p) |
5473 | |
5474 | if (em485) { |
5475 | unsigned char lsr = serial_in(p, UART_LSR); |
5476 | + p->lsr_saved_flags |= lsr & LSR_SAVE_FLAGS; |
5477 | + |
5478 | /* |
5479 | * To provide required timeing and allow FIFO transfer, |
5480 | * __stop_tx_rs485() must be called only when both FIFO and |
5481 | diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c |
5482 | index 78329d0e9af0a..a412ef67af18d 100644 |
5483 | --- a/drivers/usb/dwc2/hcd.c |
5484 | +++ b/drivers/usb/dwc2/hcd.c |
5485 | @@ -5076,7 +5076,7 @@ int dwc2_hcd_init(struct dwc2_hsotg *hsotg) |
5486 | res = platform_get_resource(pdev, IORESOURCE_MEM, 0); |
5487 | if (!res) { |
5488 | retval = -EINVAL; |
5489 | - goto error1; |
5490 | + goto error2; |
5491 | } |
5492 | hcd->rsrc_start = res->start; |
5493 | hcd->rsrc_len = resource_size(res); |
5494 | diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c |
5495 | index 6d2f1f98f13df..f71f61bcfe1e1 100644 |
5496 | --- a/drivers/usb/gadget/udc/lpc32xx_udc.c |
5497 | +++ b/drivers/usb/gadget/udc/lpc32xx_udc.c |
5498 | @@ -3027,6 +3027,7 @@ static int lpc32xx_udc_probe(struct platform_device *pdev) |
5499 | } |
5500 | |
5501 | udc->isp1301_i2c_client = isp1301_get_client(isp1301_node); |
5502 | + of_node_put(isp1301_node); |
5503 | if (!udc->isp1301_i2c_client) { |
5504 | return -EPROBE_DEFER; |
5505 | } |
5506 | diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c |
5507 | index c327d4cf79285..03bcab3b9bd09 100644 |
5508 | --- a/drivers/usb/serial/io_ti.c |
5509 | +++ b/drivers/usb/serial/io_ti.c |
5510 | @@ -168,6 +168,7 @@ static const struct usb_device_id edgeport_2port_id_table[] = { |
5511 | { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_TI_EDGEPORT_8S) }, |
5512 | { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_TI_EDGEPORT_416) }, |
5513 | { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_TI_EDGEPORT_416B) }, |
5514 | + { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_E5805A) }, |
5515 | { } |
5516 | }; |
5517 | |
5518 | @@ -206,6 +207,7 @@ static const struct usb_device_id id_table_combined[] = { |
5519 | { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_TI_EDGEPORT_8S) }, |
5520 | { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_TI_EDGEPORT_416) }, |
5521 | { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_TI_EDGEPORT_416B) }, |
5522 | + { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_E5805A) }, |
5523 | { } |
5524 | }; |
5525 | |
5526 | diff --git a/drivers/usb/serial/io_usbvend.h b/drivers/usb/serial/io_usbvend.h |
5527 | index c38e87ac5ea9e..7ca5ca49adff8 100644 |
5528 | --- a/drivers/usb/serial/io_usbvend.h |
5529 | +++ b/drivers/usb/serial/io_usbvend.h |
5530 | @@ -212,6 +212,7 @@ |
5531 | // |
5532 | // Definitions for other product IDs |
5533 | #define ION_DEVICE_ID_MT4X56USB 0x1403 // OEM device |
5534 | +#define ION_DEVICE_ID_E5805A 0x1A01 // OEM device (rebranded Edgeport/4) |
5535 | |
5536 | |
5537 | #define GENERATION_ID_FROM_USB_PRODUCT_ID(ProductId) \ |
5538 | diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c |
5539 | index 62f79fd5257bc..ec4fdb8140917 100644 |
5540 | --- a/drivers/usb/serial/option.c |
5541 | +++ b/drivers/usb/serial/option.c |
5542 | @@ -432,6 +432,8 @@ static void option_instat_callback(struct urb *urb); |
5543 | #define CINTERION_PRODUCT_CLS8 0x00b0 |
5544 | #define CINTERION_PRODUCT_MV31_MBIM 0x00b3 |
5545 | #define CINTERION_PRODUCT_MV31_RMNET 0x00b7 |
5546 | +#define CINTERION_PRODUCT_MV31_2_MBIM 0x00b8 |
5547 | +#define CINTERION_PRODUCT_MV31_2_RMNET 0x00b9 |
5548 | #define CINTERION_PRODUCT_MV32_WA 0x00f1 |
5549 | #define CINTERION_PRODUCT_MV32_WB 0x00f2 |
5550 | |
5551 | @@ -1979,6 +1981,10 @@ static const struct usb_device_id option_ids[] = { |
5552 | .driver_info = RSVD(3)}, |
5553 | { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_MV31_RMNET, 0xff), |
5554 | .driver_info = RSVD(0)}, |
5555 | + { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_MV31_2_MBIM, 0xff), |
5556 | + .driver_info = RSVD(3)}, |
5557 | + { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_MV31_2_RMNET, 0xff), |
5558 | + .driver_info = RSVD(0)}, |
5559 | { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_MV32_WA, 0xff), |
5560 | .driver_info = RSVD(3)}, |
5561 | { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_MV32_WB, 0xff), |
5562 | diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c |
5563 | index e09edb5c5e065..74547323aa836 100644 |
5564 | --- a/drivers/virtio/virtio_mmio.c |
5565 | +++ b/drivers/virtio/virtio_mmio.c |
5566 | @@ -669,6 +669,7 @@ static int vm_cmdline_set(const char *device, |
5567 | if (!vm_cmdline_parent_registered) { |
5568 | err = device_register(&vm_cmdline_parent); |
5569 | if (err) { |
5570 | + put_device(&vm_cmdline_parent); |
5571 | pr_err("Failed to register parent device!\n"); |
5572 | return err; |
5573 | } |
5574 | diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c |
5575 | index b35bb2d57f62c..1e890ef176873 100644 |
5576 | --- a/drivers/virtio/virtio_pci_common.c |
5577 | +++ b/drivers/virtio/virtio_pci_common.c |
5578 | @@ -254,8 +254,7 @@ void vp_del_vqs(struct virtio_device *vdev) |
5579 | |
5580 | if (vp_dev->msix_affinity_masks) { |
5581 | for (i = 0; i < vp_dev->msix_vectors; i++) |
5582 | - if (vp_dev->msix_affinity_masks[i]) |
5583 | - free_cpumask_var(vp_dev->msix_affinity_masks[i]); |
5584 | + free_cpumask_var(vp_dev->msix_affinity_masks[i]); |
5585 | } |
5586 | |
5587 | if (vp_dev->msix_enabled) { |
5588 | diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c |
5589 | index 60328b21c5fbd..9795fe0f1ba21 100644 |
5590 | --- a/fs/9p/vfs_inode_dotl.c |
5591 | +++ b/fs/9p/vfs_inode_dotl.c |
5592 | @@ -641,14 +641,10 @@ v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode, |
5593 | if (stat->st_result_mask & P9_STATS_NLINK) |
5594 | set_nlink(inode, stat->st_nlink); |
5595 | if (stat->st_result_mask & P9_STATS_MODE) { |
5596 | - inode->i_mode = stat->st_mode; |
5597 | - if ((S_ISBLK(inode->i_mode)) || |
5598 | - (S_ISCHR(inode->i_mode))) |
5599 | - init_special_inode(inode, inode->i_mode, |
5600 | - inode->i_rdev); |
5601 | + mode = stat->st_mode & S_IALLUGO; |
5602 | + mode |= inode->i_mode & ~S_IALLUGO; |
5603 | + inode->i_mode = mode; |
5604 | } |
5605 | - if (stat->st_result_mask & P9_STATS_RDEV) |
5606 | - inode->i_rdev = new_decode_dev(stat->st_rdev); |
5607 | if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE) && |
5608 | stat->st_result_mask & P9_STATS_SIZE) |
5609 | v9fs_i_size_write(inode, stat->st_size); |
5610 | diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c |
5611 | index e0226b2138d64..8fcc53d83af2d 100644 |
5612 | --- a/fs/compat_ioctl.c |
5613 | +++ b/fs/compat_ioctl.c |
5614 | @@ -808,13 +808,6 @@ COMPATIBLE_IOCTL(WDIOC_SETTIMEOUT) |
5615 | COMPATIBLE_IOCTL(WDIOC_GETTIMEOUT) |
5616 | COMPATIBLE_IOCTL(WDIOC_SETPRETIMEOUT) |
5617 | COMPATIBLE_IOCTL(WDIOC_GETPRETIMEOUT) |
5618 | -/* Big R */ |
5619 | -COMPATIBLE_IOCTL(RNDGETENTCNT) |
5620 | -COMPATIBLE_IOCTL(RNDADDTOENTCNT) |
5621 | -COMPATIBLE_IOCTL(RNDGETPOOL) |
5622 | -COMPATIBLE_IOCTL(RNDADDENTROPY) |
5623 | -COMPATIBLE_IOCTL(RNDZAPENTCNT) |
5624 | -COMPATIBLE_IOCTL(RNDCLEARPOOL) |
5625 | /* Bluetooth */ |
5626 | COMPATIBLE_IOCTL(HCIDEVUP) |
5627 | COMPATIBLE_IOCTL(HCIDEVDOWN) |
5628 | diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c |
5629 | index 0307702d114db..3c3166ba43649 100644 |
5630 | --- a/fs/ext4/mballoc.c |
5631 | +++ b/fs/ext4/mballoc.c |
5632 | @@ -3172,6 +3172,15 @@ ext4_mb_normalize_request(struct ext4_allocation_context *ac, |
5633 | size = size >> bsbits; |
5634 | start = start_off >> bsbits; |
5635 | |
5636 | + /* |
5637 | + * For tiny groups (smaller than 8MB) the chosen allocation |
5638 | + * alignment may be larger than group size. Make sure the |
5639 | + * alignment does not move allocation to a different group which |
5640 | + * makes mballoc fail assertions later. |
5641 | + */ |
5642 | + start = max(start, rounddown(ac->ac_o_ex.fe_logical, |
5643 | + (ext4_lblk_t)EXT4_BLOCKS_PER_GROUP(ac->ac_sb))); |
5644 | + |
5645 | /* don't cover already allocated blocks in selected range */ |
5646 | if (ar->pleft && start <= ar->lleft) { |
5647 | size -= ar->lleft + 1 - start; |
5648 | diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c |
5649 | index b01059bb562c0..d151892db8b0c 100644 |
5650 | --- a/fs/ext4/namei.c |
5651 | +++ b/fs/ext4/namei.c |
5652 | @@ -1836,7 +1836,8 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, |
5653 | struct dx_hash_info *hinfo) |
5654 | { |
5655 | unsigned blocksize = dir->i_sb->s_blocksize; |
5656 | - unsigned count, continued; |
5657 | + unsigned continued; |
5658 | + int count; |
5659 | struct buffer_head *bh2; |
5660 | ext4_lblk_t newblock; |
5661 | u32 hash2; |
5662 | diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c |
5663 | index b7f20196439a2..6410c1e098d36 100644 |
5664 | --- a/fs/ext4/resize.c |
5665 | +++ b/fs/ext4/resize.c |
5666 | @@ -52,6 +52,16 @@ int ext4_resize_begin(struct super_block *sb) |
5667 | if (!capable(CAP_SYS_RESOURCE)) |
5668 | return -EPERM; |
5669 | |
5670 | + /* |
5671 | + * If the reserved GDT blocks is non-zero, the resize_inode feature |
5672 | + * should always be set. |
5673 | + */ |
5674 | + if (EXT4_SB(sb)->s_es->s_reserved_gdt_blocks && |
5675 | + !ext4_has_feature_resize_inode(sb)) { |
5676 | + ext4_error(sb, "resize_inode disabled but reserved GDT blocks non-zero"); |
5677 | + return -EFSCORRUPTED; |
5678 | + } |
5679 | + |
5680 | /* |
5681 | * If we are not using the primary superblock/GDT copy don't resize, |
5682 | * because the user tools have no way of handling this. Probably a |
5683 | diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c |
5684 | index 2fe48982fbb48..3b19fa74b0620 100644 |
5685 | --- a/fs/nfs/pnfs.c |
5686 | +++ b/fs/nfs/pnfs.c |
5687 | @@ -2111,6 +2111,12 @@ lookup_again: |
5688 | case -ERECALLCONFLICT: |
5689 | case -EAGAIN: |
5690 | break; |
5691 | + case -ENODATA: |
5692 | + /* The server returned NFS4ERR_LAYOUTUNAVAILABLE */ |
5693 | + pnfs_layout_set_fail_bit( |
5694 | + lo, pnfs_iomode_to_fail_bit(iomode)); |
5695 | + lseg = NULL; |
5696 | + goto out_put_layout_hdr; |
5697 | default: |
5698 | if (!nfs_error_is_fatal(PTR_ERR(lseg))) { |
5699 | pnfs_layout_clear_fail_bit(lo, pnfs_iomode_to_fail_bit(iomode)); |
5700 | diff --git a/include/crypto/blake2s.h b/include/crypto/blake2s.h |
5701 | new file mode 100644 |
5702 | index 0000000000000..d439496fa6baa |
5703 | --- /dev/null |
5704 | +++ b/include/crypto/blake2s.h |
5705 | @@ -0,0 +1,102 @@ |
5706 | +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ |
5707 | +/* |
5708 | + * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. |
5709 | + */ |
5710 | + |
5711 | +#ifndef _CRYPTO_BLAKE2S_H |
5712 | +#define _CRYPTO_BLAKE2S_H |
5713 | + |
5714 | +#include <linux/bug.h> |
5715 | +#include <linux/types.h> |
5716 | +#include <linux/kernel.h> |
5717 | +#include <linux/string.h> |
5718 | + |
5719 | +enum blake2s_lengths { |
5720 | + BLAKE2S_BLOCK_SIZE = 64, |
5721 | + BLAKE2S_HASH_SIZE = 32, |
5722 | + BLAKE2S_KEY_SIZE = 32, |
5723 | + |
5724 | + BLAKE2S_128_HASH_SIZE = 16, |
5725 | + BLAKE2S_160_HASH_SIZE = 20, |
5726 | + BLAKE2S_224_HASH_SIZE = 28, |
5727 | + BLAKE2S_256_HASH_SIZE = 32, |
5728 | +}; |
5729 | + |
5730 | +struct blake2s_state { |
5731 | + u32 h[8]; |
5732 | + u32 t[2]; |
5733 | + u32 f[2]; |
5734 | + u8 buf[BLAKE2S_BLOCK_SIZE]; |
5735 | + unsigned int buflen; |
5736 | + unsigned int outlen; |
5737 | +}; |
5738 | + |
5739 | +enum blake2s_iv { |
5740 | + BLAKE2S_IV0 = 0x6A09E667UL, |
5741 | + BLAKE2S_IV1 = 0xBB67AE85UL, |
5742 | + BLAKE2S_IV2 = 0x3C6EF372UL, |
5743 | + BLAKE2S_IV3 = 0xA54FF53AUL, |
5744 | + BLAKE2S_IV4 = 0x510E527FUL, |
5745 | + BLAKE2S_IV5 = 0x9B05688CUL, |
5746 | + BLAKE2S_IV6 = 0x1F83D9ABUL, |
5747 | + BLAKE2S_IV7 = 0x5BE0CD19UL, |
5748 | +}; |
5749 | + |
5750 | +void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen); |
5751 | +void blake2s_final(struct blake2s_state *state, u8 *out); |
5752 | + |
5753 | +static inline void blake2s_init_param(struct blake2s_state *state, |
5754 | + const u32 param) |
5755 | +{ |
5756 | + *state = (struct blake2s_state){{ |
5757 | + BLAKE2S_IV0 ^ param, |
5758 | + BLAKE2S_IV1, |
5759 | + BLAKE2S_IV2, |
5760 | + BLAKE2S_IV3, |
5761 | + BLAKE2S_IV4, |
5762 | + BLAKE2S_IV5, |
5763 | + BLAKE2S_IV6, |
5764 | + BLAKE2S_IV7, |
5765 | + }}; |
5766 | +} |
5767 | + |
5768 | +static inline void blake2s_init(struct blake2s_state *state, |
5769 | + const size_t outlen) |
5770 | +{ |
5771 | + blake2s_init_param(state, 0x01010000 | outlen); |
5772 | + state->outlen = outlen; |
5773 | +} |
5774 | + |
5775 | +static inline void blake2s_init_key(struct blake2s_state *state, |
5776 | + const size_t outlen, const void *key, |
5777 | + const size_t keylen) |
5778 | +{ |
5779 | + WARN_ON(IS_ENABLED(DEBUG) && (!outlen || outlen > BLAKE2S_HASH_SIZE || |
5780 | + !key || !keylen || keylen > BLAKE2S_KEY_SIZE)); |
5781 | + |
5782 | + blake2s_init_param(state, 0x01010000 | keylen << 8 | outlen); |
5783 | + memcpy(state->buf, key, keylen); |
5784 | + state->buflen = BLAKE2S_BLOCK_SIZE; |
5785 | + state->outlen = outlen; |
5786 | +} |
5787 | + |
5788 | +static inline void blake2s(u8 *out, const u8 *in, const u8 *key, |
5789 | + const size_t outlen, const size_t inlen, |
5790 | + const size_t keylen) |
5791 | +{ |
5792 | + struct blake2s_state state; |
5793 | + |
5794 | + WARN_ON(IS_ENABLED(DEBUG) && ((!in && inlen > 0) || !out || !outlen || |
5795 | + outlen > BLAKE2S_HASH_SIZE || keylen > BLAKE2S_KEY_SIZE || |
5796 | + (!key && keylen))); |
5797 | + |
5798 | + if (keylen) |
5799 | + blake2s_init_key(&state, outlen, key, keylen); |
5800 | + else |
5801 | + blake2s_init(&state, outlen); |
5802 | + |
5803 | + blake2s_update(&state, in, inlen); |
5804 | + blake2s_final(&state, out); |
5805 | +} |
5806 | + |
5807 | +#endif /* _CRYPTO_BLAKE2S_H */ |
5808 | diff --git a/include/crypto/chacha.h b/include/crypto/chacha.h |
5809 | index d1e723c6a37dd..542f896115f45 100644 |
5810 | --- a/include/crypto/chacha.h |
5811 | +++ b/include/crypto/chacha.h |
5812 | @@ -51,4 +51,19 @@ int crypto_chacha12_setkey(struct crypto_skcipher *tfm, const u8 *key, |
5813 | int crypto_chacha_crypt(struct skcipher_request *req); |
5814 | int crypto_xchacha_crypt(struct skcipher_request *req); |
5815 | |
5816 | +enum chacha_constants { /* expand 32-byte k */ |
5817 | + CHACHA_CONSTANT_EXPA = 0x61707865U, |
5818 | + CHACHA_CONSTANT_ND_3 = 0x3320646eU, |
5819 | + CHACHA_CONSTANT_2_BY = 0x79622d32U, |
5820 | + CHACHA_CONSTANT_TE_K = 0x6b206574U |
5821 | +}; |
5822 | + |
5823 | +static inline void chacha_init_consts(u32 *state) |
5824 | +{ |
5825 | + state[0] = CHACHA_CONSTANT_EXPA; |
5826 | + state[1] = CHACHA_CONSTANT_ND_3; |
5827 | + state[2] = CHACHA_CONSTANT_2_BY; |
5828 | + state[3] = CHACHA_CONSTANT_TE_K; |
5829 | +} |
5830 | + |
5831 | #endif /* _CRYPTO_CHACHA_H */ |
5832 | diff --git a/include/crypto/drbg.h b/include/crypto/drbg.h |
5833 | index 8c9af21efce1d..a6c3b8e7deb64 100644 |
5834 | --- a/include/crypto/drbg.h |
5835 | +++ b/include/crypto/drbg.h |
5836 | @@ -105,6 +105,12 @@ struct drbg_test_data { |
5837 | struct drbg_string *testentropy; /* TEST PARAMETER: test entropy */ |
5838 | }; |
5839 | |
5840 | +enum drbg_seed_state { |
5841 | + DRBG_SEED_STATE_UNSEEDED, |
5842 | + DRBG_SEED_STATE_PARTIAL, /* Seeded with !rng_is_initialized() */ |
5843 | + DRBG_SEED_STATE_FULL, |
5844 | +}; |
5845 | + |
5846 | struct drbg_state { |
5847 | struct mutex drbg_mutex; /* lock around DRBG */ |
5848 | unsigned char *V; /* internal state 10.1.1.1 1a) */ |
5849 | @@ -127,16 +133,14 @@ struct drbg_state { |
5850 | struct crypto_wait ctr_wait; /* CTR mode async wait obj */ |
5851 | struct scatterlist sg_in, sg_out; /* CTR mode SGLs */ |
5852 | |
5853 | - bool seeded; /* DRBG fully seeded? */ |
5854 | + enum drbg_seed_state seeded; /* DRBG fully seeded? */ |
5855 | bool pr; /* Prediction resistance enabled? */ |
5856 | bool fips_primed; /* Continuous test primed? */ |
5857 | unsigned char *prev; /* FIPS 140-2 continuous test value */ |
5858 | - struct work_struct seed_work; /* asynchronous seeding support */ |
5859 | struct crypto_rng *jent; |
5860 | const struct drbg_state_ops *d_ops; |
5861 | const struct drbg_core *core; |
5862 | struct drbg_string test_data; |
5863 | - struct random_ready_callback random_ready; |
5864 | }; |
5865 | |
5866 | static inline __u8 drbg_statelen(struct drbg_state *drbg) |
5867 | @@ -184,11 +188,7 @@ static inline size_t drbg_max_addtl(struct drbg_state *drbg) |
5868 | static inline size_t drbg_max_requests(struct drbg_state *drbg) |
5869 | { |
5870 | /* SP800-90A requires 2**48 maximum requests before reseeding */ |
5871 | -#if (__BITS_PER_LONG == 32) |
5872 | - return SIZE_MAX; |
5873 | -#else |
5874 | - return (1UL<<48); |
5875 | -#endif |
5876 | + return (1<<20); |
5877 | } |
5878 | |
5879 | /* |
5880 | diff --git a/include/crypto/internal/blake2s.h b/include/crypto/internal/blake2s.h |
5881 | new file mode 100644 |
5882 | index 0000000000000..3ba066845b699 |
5883 | --- /dev/null |
5884 | +++ b/include/crypto/internal/blake2s.h |
5885 | @@ -0,0 +1,19 @@ |
5886 | +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ |
5887 | + |
5888 | +#ifndef _CRYPTO_INTERNAL_BLAKE2S_H |
5889 | +#define _CRYPTO_INTERNAL_BLAKE2S_H |
5890 | + |
5891 | +#include <crypto/blake2s.h> |
5892 | + |
5893 | +void blake2s_compress_generic(struct blake2s_state *state,const u8 *block, |
5894 | + size_t nblocks, const u32 inc); |
5895 | + |
5896 | +void blake2s_compress_arch(struct blake2s_state *state,const u8 *block, |
5897 | + size_t nblocks, const u32 inc); |
5898 | + |
5899 | +static inline void blake2s_set_lastblock(struct blake2s_state *state) |
5900 | +{ |
5901 | + state->f[0] = -1; |
5902 | +} |
5903 | + |
5904 | +#endif /* _CRYPTO_INTERNAL_BLAKE2S_H */ |
5905 | diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h |
5906 | index bd1f23536b1b6..15835f37bd5f2 100644 |
5907 | --- a/include/linux/cpuhotplug.h |
5908 | +++ b/include/linux/cpuhotplug.h |
5909 | @@ -60,6 +60,7 @@ enum cpuhp_state { |
5910 | CPUHP_LUSTRE_CFS_DEAD, |
5911 | CPUHP_AP_ARM_CACHE_B15_RAC_DEAD, |
5912 | CPUHP_PADATA_DEAD, |
5913 | + CPUHP_RANDOM_PREPARE, |
5914 | CPUHP_WORKQUEUE_PREP, |
5915 | CPUHP_POWER_NUMA_PREPARE, |
5916 | CPUHP_HRTIMERS_PREPARE, |
5917 | @@ -177,6 +178,7 @@ enum cpuhp_state { |
5918 | CPUHP_AP_PERF_POWERPC_TRACE_IMC_ONLINE, |
5919 | CPUHP_AP_WATCHDOG_ONLINE, |
5920 | CPUHP_AP_WORKQUEUE_ONLINE, |
5921 | + CPUHP_AP_RANDOM_ONLINE, |
5922 | CPUHP_AP_RCUTREE_ONLINE, |
5923 | CPUHP_AP_BASE_CACHEINFO_ONLINE, |
5924 | CPUHP_AP_ONLINE_DYN, |
5925 | diff --git a/include/linux/hw_random.h b/include/linux/hw_random.h |
5926 | index 8e6dd908da216..aa1d4da03538b 100644 |
5927 | --- a/include/linux/hw_random.h |
5928 | +++ b/include/linux/hw_random.h |
5929 | @@ -60,7 +60,5 @@ extern int devm_hwrng_register(struct device *dev, struct hwrng *rng); |
5930 | /** Unregister a Hardware Random Number Generator driver. */ |
5931 | extern void hwrng_unregister(struct hwrng *rng); |
5932 | extern void devm_hwrng_unregister(struct device *dve, struct hwrng *rng); |
5933 | -/** Feed random bits into the pool. */ |
5934 | -extern void add_hwgenerator_randomness(const char *buffer, size_t count, size_t entropy); |
5935 | |
5936 | #endif /* LINUX_HWRANDOM_H_ */ |
5937 | diff --git a/include/linux/mm.h b/include/linux/mm.h |
5938 | index a7d626b4cad1c..c125fea49752f 100644 |
5939 | --- a/include/linux/mm.h |
5940 | +++ b/include/linux/mm.h |
5941 | @@ -2354,6 +2354,7 @@ extern int install_special_mapping(struct mm_struct *mm, |
5942 | unsigned long flags, struct page **pages); |
5943 | |
5944 | unsigned long randomize_stack_top(unsigned long stack_top); |
5945 | +unsigned long randomize_page(unsigned long start, unsigned long range); |
5946 | |
5947 | extern unsigned long get_unmapped_area(struct file *, unsigned long, unsigned long, unsigned long, unsigned long); |
5948 | |
5949 | diff --git a/include/linux/prandom.h b/include/linux/prandom.h |
5950 | index e20339c78a84c..709e8e69fb39b 100644 |
5951 | --- a/include/linux/prandom.h |
5952 | +++ b/include/linux/prandom.h |
5953 | @@ -10,6 +10,7 @@ |
5954 | |
5955 | #include <linux/types.h> |
5956 | #include <linux/percpu.h> |
5957 | +#include <linux/siphash.h> |
5958 | |
5959 | u32 prandom_u32(void); |
5960 | void prandom_bytes(void *buf, size_t nbytes); |
5961 | @@ -21,15 +22,10 @@ void prandom_reseed_late(void); |
5962 | * The core SipHash round function. Each line can be executed in |
5963 | * parallel given enough CPU resources. |
5964 | */ |
5965 | -#define PRND_SIPROUND(v0, v1, v2, v3) ( \ |
5966 | - v0 += v1, v1 = rol64(v1, 13), v2 += v3, v3 = rol64(v3, 16), \ |
5967 | - v1 ^= v0, v0 = rol64(v0, 32), v3 ^= v2, \ |
5968 | - v0 += v3, v3 = rol64(v3, 21), v2 += v1, v1 = rol64(v1, 17), \ |
5969 | - v3 ^= v0, v1 ^= v2, v2 = rol64(v2, 32) \ |
5970 | -) |
5971 | +#define PRND_SIPROUND(v0, v1, v2, v3) SIPHASH_PERMUTATION(v0, v1, v2, v3) |
5972 | |
5973 | -#define PRND_K0 (0x736f6d6570736575 ^ 0x6c7967656e657261) |
5974 | -#define PRND_K1 (0x646f72616e646f6d ^ 0x7465646279746573) |
5975 | +#define PRND_K0 (SIPHASH_CONST_0 ^ SIPHASH_CONST_2) |
5976 | +#define PRND_K1 (SIPHASH_CONST_1 ^ SIPHASH_CONST_3) |
5977 | |
5978 | #elif BITS_PER_LONG == 32 |
5979 | /* |
5980 | @@ -37,14 +33,9 @@ void prandom_reseed_late(void); |
5981 | * This is weaker, but 32-bit machines are not used for high-traffic |
5982 | * applications, so there is less output for an attacker to analyze. |
5983 | */ |
5984 | -#define PRND_SIPROUND(v0, v1, v2, v3) ( \ |
5985 | - v0 += v1, v1 = rol32(v1, 5), v2 += v3, v3 = rol32(v3, 8), \ |
5986 | - v1 ^= v0, v0 = rol32(v0, 16), v3 ^= v2, \ |
5987 | - v0 += v3, v3 = rol32(v3, 7), v2 += v1, v1 = rol32(v1, 13), \ |
5988 | - v3 ^= v0, v1 ^= v2, v2 = rol32(v2, 16) \ |
5989 | -) |
5990 | -#define PRND_K0 0x6c796765 |
5991 | -#define PRND_K1 0x74656462 |
5992 | +#define PRND_SIPROUND(v0, v1, v2, v3) HSIPHASH_PERMUTATION(v0, v1, v2, v3) |
5993 | +#define PRND_K0 (HSIPHASH_CONST_0 ^ HSIPHASH_CONST_2) |
5994 | +#define PRND_K1 (HSIPHASH_CONST_1 ^ HSIPHASH_CONST_3) |
5995 | |
5996 | #else |
5997 | #error Unsupported BITS_PER_LONG |
5998 | diff --git a/include/linux/random.h b/include/linux/random.h |
5999 | index 5b3ec7d2791f8..3feafab498ad9 100644 |
6000 | --- a/include/linux/random.h |
6001 | +++ b/include/linux/random.h |
6002 | @@ -1,52 +1,35 @@ |
6003 | /* SPDX-License-Identifier: GPL-2.0 */ |
6004 | -/* |
6005 | - * include/linux/random.h |
6006 | - * |
6007 | - * Include file for the random number generator. |
6008 | - */ |
6009 | + |
6010 | #ifndef _LINUX_RANDOM_H |
6011 | #define _LINUX_RANDOM_H |
6012 | |
6013 | +#include <linux/bug.h> |
6014 | +#include <linux/kernel.h> |
6015 | #include <linux/list.h> |
6016 | #include <linux/once.h> |
6017 | |
6018 | #include <uapi/linux/random.h> |
6019 | |
6020 | -struct random_ready_callback { |
6021 | - struct list_head list; |
6022 | - void (*func)(struct random_ready_callback *rdy); |
6023 | - struct module *owner; |
6024 | -}; |
6025 | +struct notifier_block; |
6026 | |
6027 | -extern void add_device_randomness(const void *, unsigned int); |
6028 | -extern void add_bootloader_randomness(const void *, unsigned int); |
6029 | +void add_device_randomness(const void *buf, size_t len); |
6030 | +void __init add_bootloader_randomness(const void *buf, size_t len); |
6031 | +void add_input_randomness(unsigned int type, unsigned int code, |
6032 | + unsigned int value) __latent_entropy; |
6033 | +void add_interrupt_randomness(int irq) __latent_entropy; |
6034 | +void add_hwgenerator_randomness(const void *buf, size_t len, size_t entropy); |
6035 | |
6036 | #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__) |
6037 | static inline void add_latent_entropy(void) |
6038 | { |
6039 | - add_device_randomness((const void *)&latent_entropy, |
6040 | - sizeof(latent_entropy)); |
6041 | + add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); |
6042 | } |
6043 | #else |
6044 | -static inline void add_latent_entropy(void) {} |
6045 | -#endif |
6046 | - |
6047 | -extern void add_input_randomness(unsigned int type, unsigned int code, |
6048 | - unsigned int value) __latent_entropy; |
6049 | -extern void add_interrupt_randomness(int irq, int irq_flags) __latent_entropy; |
6050 | - |
6051 | -extern void get_random_bytes(void *buf, int nbytes); |
6052 | -extern int wait_for_random_bytes(void); |
6053 | -extern int __init rand_initialize(void); |
6054 | -extern bool rng_is_initialized(void); |
6055 | -extern int add_random_ready_callback(struct random_ready_callback *rdy); |
6056 | -extern void del_random_ready_callback(struct random_ready_callback *rdy); |
6057 | -extern int __must_check get_random_bytes_arch(void *buf, int nbytes); |
6058 | - |
6059 | -#ifndef MODULE |
6060 | -extern const struct file_operations random_fops, urandom_fops; |
6061 | +static inline void add_latent_entropy(void) { } |
6062 | #endif |
6063 | |
6064 | +void get_random_bytes(void *buf, size_t len); |
6065 | +size_t __must_check get_random_bytes_arch(void *buf, size_t len); |
6066 | u32 get_random_u32(void); |
6067 | u64 get_random_u64(void); |
6068 | static inline unsigned int get_random_int(void) |
6069 | @@ -78,36 +61,38 @@ static inline unsigned long get_random_long(void) |
6070 | |
6071 | static inline unsigned long get_random_canary(void) |
6072 | { |
6073 | - unsigned long val = get_random_long(); |
6074 | - |
6075 | - return val & CANARY_MASK; |
6076 | + return get_random_long() & CANARY_MASK; |
6077 | } |
6078 | |
6079 | +int __init random_init(const char *command_line); |
6080 | +bool rng_is_initialized(void); |
6081 | +int wait_for_random_bytes(void); |
6082 | +int register_random_ready_notifier(struct notifier_block *nb); |
6083 | +int unregister_random_ready_notifier(struct notifier_block *nb); |
6084 | + |
6085 | /* Calls wait_for_random_bytes() and then calls get_random_bytes(buf, nbytes). |
6086 | * Returns the result of the call to wait_for_random_bytes. */ |
6087 | -static inline int get_random_bytes_wait(void *buf, int nbytes) |
6088 | +static inline int get_random_bytes_wait(void *buf, size_t nbytes) |
6089 | { |
6090 | int ret = wait_for_random_bytes(); |
6091 | get_random_bytes(buf, nbytes); |
6092 | return ret; |
6093 | } |
6094 | |
6095 | -#define declare_get_random_var_wait(var) \ |
6096 | - static inline int get_random_ ## var ## _wait(var *out) { \ |
6097 | +#define declare_get_random_var_wait(name, ret_type) \ |
6098 | + static inline int get_random_ ## name ## _wait(ret_type *out) { \ |
6099 | int ret = wait_for_random_bytes(); \ |
6100 | if (unlikely(ret)) \ |
6101 | return ret; \ |
6102 | - *out = get_random_ ## var(); \ |
6103 | + *out = get_random_ ## name(); \ |
6104 | return 0; \ |
6105 | } |
6106 | -declare_get_random_var_wait(u32) |
6107 | -declare_get_random_var_wait(u64) |
6108 | -declare_get_random_var_wait(int) |
6109 | -declare_get_random_var_wait(long) |
6110 | +declare_get_random_var_wait(u32, u32) |
6111 | +declare_get_random_var_wait(u64, u32) |
6112 | +declare_get_random_var_wait(int, unsigned int) |
6113 | +declare_get_random_var_wait(long, unsigned long) |
6114 | #undef declare_get_random_var |
6115 | |
6116 | -unsigned long randomize_page(unsigned long start, unsigned long range); |
6117 | - |
6118 | /* |
6119 | * This is designed to be standalone for just prandom |
6120 | * users, but for now we include it from <linux/random.h> |
6121 | @@ -118,30 +103,39 @@ unsigned long randomize_page(unsigned long start, unsigned long range); |
6122 | #ifdef CONFIG_ARCH_RANDOM |
6123 | # include <asm/archrandom.h> |
6124 | #else |
6125 | -static inline bool arch_get_random_long(unsigned long *v) |
6126 | -{ |
6127 | - return 0; |
6128 | -} |
6129 | -static inline bool arch_get_random_int(unsigned int *v) |
6130 | -{ |
6131 | - return 0; |
6132 | -} |
6133 | -static inline bool arch_has_random(void) |
6134 | -{ |
6135 | - return 0; |
6136 | -} |
6137 | -static inline bool arch_get_random_seed_long(unsigned long *v) |
6138 | -{ |
6139 | - return 0; |
6140 | -} |
6141 | -static inline bool arch_get_random_seed_int(unsigned int *v) |
6142 | +static inline bool __must_check arch_get_random_long(unsigned long *v) { return false; } |
6143 | +static inline bool __must_check arch_get_random_int(unsigned int *v) { return false; } |
6144 | +static inline bool __must_check arch_get_random_seed_long(unsigned long *v) { return false; } |
6145 | +static inline bool __must_check arch_get_random_seed_int(unsigned int *v) { return false; } |
6146 | +#endif |
6147 | + |
6148 | +/* |
6149 | + * Called from the boot CPU during startup; not valid to call once |
6150 | + * secondary CPUs are up and preemption is possible. |
6151 | + */ |
6152 | +#ifndef arch_get_random_seed_long_early |
6153 | +static inline bool __init arch_get_random_seed_long_early(unsigned long *v) |
6154 | { |
6155 | - return 0; |
6156 | + WARN_ON(system_state != SYSTEM_BOOTING); |
6157 | + return arch_get_random_seed_long(v); |
6158 | } |
6159 | -static inline bool arch_has_random_seed(void) |
6160 | +#endif |
6161 | + |
6162 | +#ifndef arch_get_random_long_early |
6163 | +static inline bool __init arch_get_random_long_early(unsigned long *v) |
6164 | { |
6165 | - return 0; |
6166 | + WARN_ON(system_state != SYSTEM_BOOTING); |
6167 | + return arch_get_random_long(v); |
6168 | } |
6169 | #endif |
6170 | |
6171 | +#ifdef CONFIG_SMP |
6172 | +int random_prepare_cpu(unsigned int cpu); |
6173 | +int random_online_cpu(unsigned int cpu); |
6174 | +#endif |
6175 | + |
6176 | +#ifndef MODULE |
6177 | +extern const struct file_operations random_fops, urandom_fops; |
6178 | +#endif |
6179 | + |
6180 | #endif /* _LINUX_RANDOM_H */ |
6181 | diff --git a/include/linux/siphash.h b/include/linux/siphash.h |
6182 | index 0cda61855d907..0bb5ecd507bef 100644 |
6183 | --- a/include/linux/siphash.h |
6184 | +++ b/include/linux/siphash.h |
6185 | @@ -136,4 +136,32 @@ static inline u32 hsiphash(const void *data, size_t len, |
6186 | return ___hsiphash_aligned(data, len, key); |
6187 | } |
6188 | |
6189 | +/* |
6190 | + * These macros expose the raw SipHash and HalfSipHash permutations. |
6191 | + * Do not use them directly! If you think you have a use for them, |
6192 | + * be sure to CC the maintainer of this file explaining why. |
6193 | + */ |
6194 | + |
6195 | +#define SIPHASH_PERMUTATION(a, b, c, d) ( \ |
6196 | + (a) += (b), (b) = rol64((b), 13), (b) ^= (a), (a) = rol64((a), 32), \ |
6197 | + (c) += (d), (d) = rol64((d), 16), (d) ^= (c), \ |
6198 | + (a) += (d), (d) = rol64((d), 21), (d) ^= (a), \ |
6199 | + (c) += (b), (b) = rol64((b), 17), (b) ^= (c), (c) = rol64((c), 32)) |
6200 | + |
6201 | +#define SIPHASH_CONST_0 0x736f6d6570736575ULL |
6202 | +#define SIPHASH_CONST_1 0x646f72616e646f6dULL |
6203 | +#define SIPHASH_CONST_2 0x6c7967656e657261ULL |
6204 | +#define SIPHASH_CONST_3 0x7465646279746573ULL |
6205 | + |
6206 | +#define HSIPHASH_PERMUTATION(a, b, c, d) ( \ |
6207 | + (a) += (b), (b) = rol32((b), 5), (b) ^= (a), (a) = rol32((a), 16), \ |
6208 | + (c) += (d), (d) = rol32((d), 8), (d) ^= (c), \ |
6209 | + (a) += (d), (d) = rol32((d), 7), (d) ^= (a), \ |
6210 | + (c) += (b), (b) = rol32((b), 13), (b) ^= (c), (c) = rol32((c), 16)) |
6211 | + |
6212 | +#define HSIPHASH_CONST_0 0U |
6213 | +#define HSIPHASH_CONST_1 0U |
6214 | +#define HSIPHASH_CONST_2 0x6c796765U |
6215 | +#define HSIPHASH_CONST_3 0x74656462U |
6216 | + |
6217 | #endif /* _LINUX_SIPHASH_H */ |
6218 | diff --git a/include/linux/timex.h b/include/linux/timex.h |
6219 | index ce08597636705..2efab9a806a9d 100644 |
6220 | --- a/include/linux/timex.h |
6221 | +++ b/include/linux/timex.h |
6222 | @@ -62,6 +62,8 @@ |
6223 | #include <linux/types.h> |
6224 | #include <linux/param.h> |
6225 | |
6226 | +unsigned long random_get_entropy_fallback(void); |
6227 | + |
6228 | #include <asm/timex.h> |
6229 | |
6230 | #ifndef random_get_entropy |
6231 | @@ -74,8 +76,14 @@ |
6232 | * |
6233 | * By default we use get_cycles() for this purpose, but individual |
6234 | * architectures may override this in their asm/timex.h header file. |
6235 | + * If a given arch does not have get_cycles(), then we fallback to |
6236 | + * using random_get_entropy_fallback(). |
6237 | */ |
6238 | -#define random_get_entropy() get_cycles() |
6239 | +#ifdef get_cycles |
6240 | +#define random_get_entropy() ((unsigned long)get_cycles()) |
6241 | +#else |
6242 | +#define random_get_entropy() random_get_entropy_fallback() |
6243 | +#endif |
6244 | #endif |
6245 | |
6246 | /* |
6247 | diff --git a/include/trace/events/random.h b/include/trace/events/random.h |
6248 | deleted file mode 100644 |
6249 | index 32c10a515e2d5..0000000000000 |
6250 | --- a/include/trace/events/random.h |
6251 | +++ /dev/null |
6252 | @@ -1,313 +0,0 @@ |
6253 | -/* SPDX-License-Identifier: GPL-2.0 */ |
6254 | -#undef TRACE_SYSTEM |
6255 | -#define TRACE_SYSTEM random |
6256 | - |
6257 | -#if !defined(_TRACE_RANDOM_H) || defined(TRACE_HEADER_MULTI_READ) |
6258 | -#define _TRACE_RANDOM_H |
6259 | - |
6260 | -#include <linux/writeback.h> |
6261 | -#include <linux/tracepoint.h> |
6262 | - |
6263 | -TRACE_EVENT(add_device_randomness, |
6264 | - TP_PROTO(int bytes, unsigned long IP), |
6265 | - |
6266 | - TP_ARGS(bytes, IP), |
6267 | - |
6268 | - TP_STRUCT__entry( |
6269 | - __field( int, bytes ) |
6270 | - __field(unsigned long, IP ) |
6271 | - ), |
6272 | - |
6273 | - TP_fast_assign( |
6274 | - __entry->bytes = bytes; |
6275 | - __entry->IP = IP; |
6276 | - ), |
6277 | - |
6278 | - TP_printk("bytes %d caller %pS", |
6279 | - __entry->bytes, (void *)__entry->IP) |
6280 | -); |
6281 | - |
6282 | -DECLARE_EVENT_CLASS(random__mix_pool_bytes, |
6283 | - TP_PROTO(const char *pool_name, int bytes, unsigned long IP), |
6284 | - |
6285 | - TP_ARGS(pool_name, bytes, IP), |
6286 | - |
6287 | - TP_STRUCT__entry( |
6288 | - __field( const char *, pool_name ) |
6289 | - __field( int, bytes ) |
6290 | - __field(unsigned long, IP ) |
6291 | - ), |
6292 | - |
6293 | - TP_fast_assign( |
6294 | - __entry->pool_name = pool_name; |
6295 | - __entry->bytes = bytes; |
6296 | - __entry->IP = IP; |
6297 | - ), |
6298 | - |
6299 | - TP_printk("%s pool: bytes %d caller %pS", |
6300 | - __entry->pool_name, __entry->bytes, (void *)__entry->IP) |
6301 | -); |
6302 | - |
6303 | -DEFINE_EVENT(random__mix_pool_bytes, mix_pool_bytes, |
6304 | - TP_PROTO(const char *pool_name, int bytes, unsigned long IP), |
6305 | - |
6306 | - TP_ARGS(pool_name, bytes, IP) |
6307 | -); |
6308 | - |
6309 | -DEFINE_EVENT(random__mix_pool_bytes, mix_pool_bytes_nolock, |
6310 | - TP_PROTO(const char *pool_name, int bytes, unsigned long IP), |
6311 | - |
6312 | - TP_ARGS(pool_name, bytes, IP) |
6313 | -); |
6314 | - |
6315 | -TRACE_EVENT(credit_entropy_bits, |
6316 | - TP_PROTO(const char *pool_name, int bits, int entropy_count, |
6317 | - unsigned long IP), |
6318 | - |
6319 | - TP_ARGS(pool_name, bits, entropy_count, IP), |
6320 | - |
6321 | - TP_STRUCT__entry( |
6322 | - __field( const char *, pool_name ) |
6323 | - __field( int, bits ) |
6324 | - __field( int, entropy_count ) |
6325 | - __field(unsigned long, IP ) |
6326 | - ), |
6327 | - |
6328 | - TP_fast_assign( |
6329 | - __entry->pool_name = pool_name; |
6330 | - __entry->bits = bits; |
6331 | - __entry->entropy_count = entropy_count; |
6332 | - __entry->IP = IP; |
6333 | - ), |
6334 | - |
6335 | - TP_printk("%s pool: bits %d entropy_count %d caller %pS", |
6336 | - __entry->pool_name, __entry->bits, |
6337 | - __entry->entropy_count, (void *)__entry->IP) |
6338 | -); |
6339 | - |
6340 | -TRACE_EVENT(push_to_pool, |
6341 | - TP_PROTO(const char *pool_name, int pool_bits, int input_bits), |
6342 | - |
6343 | - TP_ARGS(pool_name, pool_bits, input_bits), |
6344 | - |
6345 | - TP_STRUCT__entry( |
6346 | - __field( const char *, pool_name ) |
6347 | - __field( int, pool_bits ) |
6348 | - __field( int, input_bits ) |
6349 | - ), |
6350 | - |
6351 | - TP_fast_assign( |
6352 | - __entry->pool_name = pool_name; |
6353 | - __entry->pool_bits = pool_bits; |
6354 | - __entry->input_bits = input_bits; |
6355 | - ), |
6356 | - |
6357 | - TP_printk("%s: pool_bits %d input_pool_bits %d", |
6358 | - __entry->pool_name, __entry->pool_bits, |
6359 | - __entry->input_bits) |
6360 | -); |
6361 | - |
6362 | -TRACE_EVENT(debit_entropy, |
6363 | - TP_PROTO(const char *pool_name, int debit_bits), |
6364 | - |
6365 | - TP_ARGS(pool_name, debit_bits), |
6366 | - |
6367 | - TP_STRUCT__entry( |
6368 | - __field( const char *, pool_name ) |
6369 | - __field( int, debit_bits ) |
6370 | - ), |
6371 | - |
6372 | - TP_fast_assign( |
6373 | - __entry->pool_name = pool_name; |
6374 | - __entry->debit_bits = debit_bits; |
6375 | - ), |
6376 | - |
6377 | - TP_printk("%s: debit_bits %d", __entry->pool_name, |
6378 | - __entry->debit_bits) |
6379 | -); |
6380 | - |
6381 | -TRACE_EVENT(add_input_randomness, |
6382 | - TP_PROTO(int input_bits), |
6383 | - |
6384 | - TP_ARGS(input_bits), |
6385 | - |
6386 | - TP_STRUCT__entry( |
6387 | - __field( int, input_bits ) |
6388 | - ), |
6389 | - |
6390 | - TP_fast_assign( |
6391 | - __entry->input_bits = input_bits; |
6392 | - ), |
6393 | - |
6394 | - TP_printk("input_pool_bits %d", __entry->input_bits) |
6395 | -); |
6396 | - |
6397 | -TRACE_EVENT(add_disk_randomness, |
6398 | - TP_PROTO(dev_t dev, int input_bits), |
6399 | - |
6400 | - TP_ARGS(dev, input_bits), |
6401 | - |
6402 | - TP_STRUCT__entry( |
6403 | - __field( dev_t, dev ) |
6404 | - __field( int, input_bits ) |
6405 | - ), |
6406 | - |
6407 | - TP_fast_assign( |
6408 | - __entry->dev = dev; |
6409 | - __entry->input_bits = input_bits; |
6410 | - ), |
6411 | - |
6412 | - TP_printk("dev %d,%d input_pool_bits %d", MAJOR(__entry->dev), |
6413 | - MINOR(__entry->dev), __entry->input_bits) |
6414 | -); |
6415 | - |
6416 | -TRACE_EVENT(xfer_secondary_pool, |
6417 | - TP_PROTO(const char *pool_name, int xfer_bits, int request_bits, |
6418 | - int pool_entropy, int input_entropy), |
6419 | - |
6420 | - TP_ARGS(pool_name, xfer_bits, request_bits, pool_entropy, |
6421 | - input_entropy), |
6422 | - |
6423 | - TP_STRUCT__entry( |
6424 | - __field( const char *, pool_name ) |
6425 | - __field( int, xfer_bits ) |
6426 | - __field( int, request_bits ) |
6427 | - __field( int, pool_entropy ) |
6428 | - __field( int, input_entropy ) |
6429 | - ), |
6430 | - |
6431 | - TP_fast_assign( |
6432 | - __entry->pool_name = pool_name; |
6433 | - __entry->xfer_bits = xfer_bits; |
6434 | - __entry->request_bits = request_bits; |
6435 | - __entry->pool_entropy = pool_entropy; |
6436 | - __entry->input_entropy = input_entropy; |
6437 | - ), |
6438 | - |
6439 | - TP_printk("pool %s xfer_bits %d request_bits %d pool_entropy %d " |
6440 | - "input_entropy %d", __entry->pool_name, __entry->xfer_bits, |
6441 | - __entry->request_bits, __entry->pool_entropy, |
6442 | - __entry->input_entropy) |
6443 | -); |
6444 | - |
6445 | -DECLARE_EVENT_CLASS(random__get_random_bytes, |
6446 | - TP_PROTO(int nbytes, unsigned long IP), |
6447 | - |
6448 | - TP_ARGS(nbytes, IP), |
6449 | - |
6450 | - TP_STRUCT__entry( |
6451 | - __field( int, nbytes ) |
6452 | - __field(unsigned long, IP ) |
6453 | - ), |
6454 | - |
6455 | - TP_fast_assign( |
6456 | - __entry->nbytes = nbytes; |
6457 | - __entry->IP = IP; |
6458 | - ), |
6459 | - |
6460 | - TP_printk("nbytes %d caller %pS", __entry->nbytes, (void *)__entry->IP) |
6461 | -); |
6462 | - |
6463 | -DEFINE_EVENT(random__get_random_bytes, get_random_bytes, |
6464 | - TP_PROTO(int nbytes, unsigned long IP), |
6465 | - |
6466 | - TP_ARGS(nbytes, IP) |
6467 | -); |
6468 | - |
6469 | -DEFINE_EVENT(random__get_random_bytes, get_random_bytes_arch, |
6470 | - TP_PROTO(int nbytes, unsigned long IP), |
6471 | - |
6472 | - TP_ARGS(nbytes, IP) |
6473 | -); |
6474 | - |
6475 | -DECLARE_EVENT_CLASS(random__extract_entropy, |
6476 | - TP_PROTO(const char *pool_name, int nbytes, int entropy_count, |
6477 | - unsigned long IP), |
6478 | - |
6479 | - TP_ARGS(pool_name, nbytes, entropy_count, IP), |
6480 | - |
6481 | - TP_STRUCT__entry( |
6482 | - __field( const char *, pool_name ) |
6483 | - __field( int, nbytes ) |
6484 | - __field( int, entropy_count ) |
6485 | - __field(unsigned long, IP ) |
6486 | - ), |
6487 | - |
6488 | - TP_fast_assign( |
6489 | - __entry->pool_name = pool_name; |
6490 | - __entry->nbytes = nbytes; |
6491 | - __entry->entropy_count = entropy_count; |
6492 | - __entry->IP = IP; |
6493 | - ), |
6494 | - |
6495 | - TP_printk("%s pool: nbytes %d entropy_count %d caller %pS", |
6496 | - __entry->pool_name, __entry->nbytes, __entry->entropy_count, |
6497 | - (void *)__entry->IP) |
6498 | -); |
6499 | - |
6500 | - |
6501 | -DEFINE_EVENT(random__extract_entropy, extract_entropy, |
6502 | - TP_PROTO(const char *pool_name, int nbytes, int entropy_count, |
6503 | - unsigned long IP), |
6504 | - |
6505 | - TP_ARGS(pool_name, nbytes, entropy_count, IP) |
6506 | -); |
6507 | - |
6508 | -DEFINE_EVENT(random__extract_entropy, extract_entropy_user, |
6509 | - TP_PROTO(const char *pool_name, int nbytes, int entropy_count, |
6510 | - unsigned long IP), |
6511 | - |
6512 | - TP_ARGS(pool_name, nbytes, entropy_count, IP) |
6513 | -); |
6514 | - |
6515 | -TRACE_EVENT(random_read, |
6516 | - TP_PROTO(int got_bits, int need_bits, int pool_left, int input_left), |
6517 | - |
6518 | - TP_ARGS(got_bits, need_bits, pool_left, input_left), |
6519 | - |
6520 | - TP_STRUCT__entry( |
6521 | - __field( int, got_bits ) |
6522 | - __field( int, need_bits ) |
6523 | - __field( int, pool_left ) |
6524 | - __field( int, input_left ) |
6525 | - ), |
6526 | - |
6527 | - TP_fast_assign( |
6528 | - __entry->got_bits = got_bits; |
6529 | - __entry->need_bits = need_bits; |
6530 | - __entry->pool_left = pool_left; |
6531 | - __entry->input_left = input_left; |
6532 | - ), |
6533 | - |
6534 | - TP_printk("got_bits %d still_needed_bits %d " |
6535 | - "blocking_pool_entropy_left %d input_entropy_left %d", |
6536 | - __entry->got_bits, __entry->got_bits, __entry->pool_left, |
6537 | - __entry->input_left) |
6538 | -); |
6539 | - |
6540 | -TRACE_EVENT(urandom_read, |
6541 | - TP_PROTO(int got_bits, int pool_left, int input_left), |
6542 | - |
6543 | - TP_ARGS(got_bits, pool_left, input_left), |
6544 | - |
6545 | - TP_STRUCT__entry( |
6546 | - __field( int, got_bits ) |
6547 | - __field( int, pool_left ) |
6548 | - __field( int, input_left ) |
6549 | - ), |
6550 | - |
6551 | - TP_fast_assign( |
6552 | - __entry->got_bits = got_bits; |
6553 | - __entry->pool_left = pool_left; |
6554 | - __entry->input_left = input_left; |
6555 | - ), |
6556 | - |
6557 | - TP_printk("got_bits %d nonblocking_pool_entropy_left %d " |
6558 | - "input_entropy_left %d", __entry->got_bits, |
6559 | - __entry->pool_left, __entry->input_left) |
6560 | -); |
6561 | - |
6562 | -#endif /* _TRACE_RANDOM_H */ |
6563 | - |
6564 | -/* This part must be outside protection */ |
6565 | -#include <trace/define_trace.h> |
6566 | diff --git a/include/uapi/linux/random.h b/include/uapi/linux/random.h |
6567 | index 26ee91300e3ec..dcc1b3e6106fe 100644 |
6568 | --- a/include/uapi/linux/random.h |
6569 | +++ b/include/uapi/linux/random.h |
6570 | @@ -48,9 +48,11 @@ struct rand_pool_info { |
6571 | * Flags for getrandom(2) |
6572 | * |
6573 | * GRND_NONBLOCK Don't block and return EAGAIN instead |
6574 | - * GRND_RANDOM Use the /dev/random pool instead of /dev/urandom |
6575 | + * GRND_RANDOM No effect |
6576 | + * GRND_INSECURE Return non-cryptographic random bytes |
6577 | */ |
6578 | #define GRND_NONBLOCK 0x0001 |
6579 | #define GRND_RANDOM 0x0002 |
6580 | +#define GRND_INSECURE 0x0004 |
6581 | |
6582 | #endif /* _UAPI_LINUX_RANDOM_H */ |
6583 | diff --git a/init/main.c b/init/main.c |
6584 | index d292daabd9a22..a17a111d93362 100644 |
6585 | --- a/init/main.c |
6586 | +++ b/init/main.c |
6587 | @@ -680,21 +680,18 @@ asmlinkage __visible void __init start_kernel(void) |
6588 | hrtimers_init(); |
6589 | softirq_init(); |
6590 | timekeeping_init(); |
6591 | + time_init(); |
6592 | |
6593 | /* |
6594 | * For best initial stack canary entropy, prepare it after: |
6595 | * - setup_arch() for any UEFI RNG entropy and boot cmdline access |
6596 | - * - timekeeping_init() for ktime entropy used in rand_initialize() |
6597 | - * - rand_initialize() to get any arch-specific entropy like RDRAND |
6598 | - * - add_latent_entropy() to get any latent entropy |
6599 | - * - adding command line entropy |
6600 | + * - timekeeping_init() for ktime entropy used in random_init() |
6601 | + * - time_init() for making random_get_entropy() work on some platforms |
6602 | + * - random_init() to initialize the RNG from from early entropy sources |
6603 | */ |
6604 | - rand_initialize(); |
6605 | - add_latent_entropy(); |
6606 | - add_device_randomness(command_line, strlen(command_line)); |
6607 | + random_init(command_line); |
6608 | boot_init_stack_canary(); |
6609 | |
6610 | - time_init(); |
6611 | perf_event_init(); |
6612 | profile_init(); |
6613 | call_function_init(); |
6614 | diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c |
6615 | index 768ffd6037875..811071c227f11 100644 |
6616 | --- a/kernel/bpf/stackmap.c |
6617 | +++ b/kernel/bpf/stackmap.c |
6618 | @@ -117,7 +117,8 @@ static struct bpf_map *stack_map_alloc(union bpf_attr *attr) |
6619 | return ERR_PTR(-E2BIG); |
6620 | |
6621 | cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap); |
6622 | - err = bpf_map_charge_init(&mem, cost); |
6623 | + err = bpf_map_charge_init(&mem, cost + attr->max_entries * |
6624 | + (sizeof(struct stack_map_bucket) + (u64)value_size)); |
6625 | if (err) |
6626 | return ERR_PTR(err); |
6627 | |
6628 | diff --git a/kernel/cpu.c b/kernel/cpu.c |
6629 | index 06c009489892f..c08456af0c7fe 100644 |
6630 | --- a/kernel/cpu.c |
6631 | +++ b/kernel/cpu.c |
6632 | @@ -33,6 +33,7 @@ |
6633 | #include <linux/slab.h> |
6634 | #include <linux/percpu-rwsem.h> |
6635 | #include <linux/cpuset.h> |
6636 | +#include <linux/random.h> |
6637 | |
6638 | #include <trace/events/power.h> |
6639 | #define CREATE_TRACE_POINTS |
6640 | @@ -1459,6 +1460,11 @@ static struct cpuhp_step cpuhp_hp_states[] = { |
6641 | .startup.single = perf_event_init_cpu, |
6642 | .teardown.single = perf_event_exit_cpu, |
6643 | }, |
6644 | + [CPUHP_RANDOM_PREPARE] = { |
6645 | + .name = "random:prepare", |
6646 | + .startup.single = random_prepare_cpu, |
6647 | + .teardown.single = NULL, |
6648 | + }, |
6649 | [CPUHP_WORKQUEUE_PREP] = { |
6650 | .name = "workqueue:prepare", |
6651 | .startup.single = workqueue_prepare_cpu, |
6652 | @@ -1575,6 +1581,11 @@ static struct cpuhp_step cpuhp_hp_states[] = { |
6653 | .startup.single = workqueue_online_cpu, |
6654 | .teardown.single = workqueue_offline_cpu, |
6655 | }, |
6656 | + [CPUHP_AP_RANDOM_ONLINE] = { |
6657 | + .name = "random:online", |
6658 | + .startup.single = random_online_cpu, |
6659 | + .teardown.single = NULL, |
6660 | + }, |
6661 | [CPUHP_AP_RCUTREE_ONLINE] = { |
6662 | .name = "RCU/tree:online", |
6663 | .startup.single = rcutree_online_cpu, |
6664 | diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c |
6665 | index 1c133f610f592..9a4837b68e18f 100644 |
6666 | --- a/kernel/dma/debug.c |
6667 | +++ b/kernel/dma/debug.c |
6668 | @@ -616,7 +616,7 @@ static void add_dma_entry(struct dma_debug_entry *entry) |
6669 | |
6670 | rc = active_cacheline_insert(entry); |
6671 | if (rc == -ENOMEM) { |
6672 | - pr_err("cacheline tracking ENOMEM, dma-debug disabled\n"); |
6673 | + pr_err_once("cacheline tracking ENOMEM, dma-debug disabled\n"); |
6674 | global_disable = true; |
6675 | } |
6676 | |
6677 | diff --git a/kernel/irq/handle.c b/kernel/irq/handle.c |
6678 | index a4ace611f47fe..d2d7559ecbfec 100644 |
6679 | --- a/kernel/irq/handle.c |
6680 | +++ b/kernel/irq/handle.c |
6681 | @@ -188,7 +188,7 @@ irqreturn_t handle_irq_event_percpu(struct irq_desc *desc) |
6682 | |
6683 | retval = __handle_irq_event_percpu(desc, &flags); |
6684 | |
6685 | - add_interrupt_randomness(desc->irq_data.irq, flags); |
6686 | + add_interrupt_randomness(desc->irq_data.irq); |
6687 | |
6688 | if (!noirqdebug) |
6689 | note_interrupt(desc, retval); |
6690 | diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c |
6691 | index 36ed8bad3909e..e23c9e765a5ff 100644 |
6692 | --- a/kernel/time/timekeeping.c |
6693 | +++ b/kernel/time/timekeeping.c |
6694 | @@ -17,6 +17,7 @@ |
6695 | #include <linux/clocksource.h> |
6696 | #include <linux/jiffies.h> |
6697 | #include <linux/time.h> |
6698 | +#include <linux/timex.h> |
6699 | #include <linux/tick.h> |
6700 | #include <linux/stop_machine.h> |
6701 | #include <linux/pvclock_gtod.h> |
6702 | @@ -2304,6 +2305,20 @@ static int timekeeping_validate_timex(const struct __kernel_timex *txc) |
6703 | return 0; |
6704 | } |
6705 | |
6706 | +/** |
6707 | + * random_get_entropy_fallback - Returns the raw clock source value, |
6708 | + * used by random.c for platforms with no valid random_get_entropy(). |
6709 | + */ |
6710 | +unsigned long random_get_entropy_fallback(void) |
6711 | +{ |
6712 | + struct tk_read_base *tkr = &tk_core.timekeeper.tkr_mono; |
6713 | + struct clocksource *clock = READ_ONCE(tkr->clock); |
6714 | + |
6715 | + if (unlikely(timekeeping_suspended || !clock)) |
6716 | + return 0; |
6717 | + return clock->read(clock); |
6718 | +} |
6719 | +EXPORT_SYMBOL_GPL(random_get_entropy_fallback); |
6720 | |
6721 | /** |
6722 | * do_adjtimex() - Accessor function to NTP __do_adjtimex function |
6723 | diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug |
6724 | index a846f03901dbd..dd7044aa1a120 100644 |
6725 | --- a/lib/Kconfig.debug |
6726 | +++ b/lib/Kconfig.debug |
6727 | @@ -1292,8 +1292,7 @@ config WARN_ALL_UNSEEDED_RANDOM |
6728 | so architecture maintainers really need to do what they can |
6729 | to get the CRNG seeded sooner after the system is booted. |
6730 | However, since users cannot do anything actionable to |
6731 | - address this, by default the kernel will issue only a single |
6732 | - warning for the first use of unseeded randomness. |
6733 | + address this, by default this option is disabled. |
6734 | |
6735 | Say Y here if you want to receive warnings for all uses of |
6736 | unseeded randomness. This will be of use primarily for |
6737 | diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile |
6738 | index cbe0b6a6450d7..9d7feabacd1d6 100644 |
6739 | --- a/lib/crypto/Makefile |
6740 | +++ b/lib/crypto/Makefile |
6741 | @@ -11,3 +11,9 @@ libdes-y := des.o |
6742 | |
6743 | obj-$(CONFIG_CRYPTO_LIB_SHA256) += libsha256.o |
6744 | libsha256-y := sha256.o |
6745 | + |
6746 | +obj-y += libblake2s.o |
6747 | +libblake2s-y += blake2s.o blake2s-generic.o |
6748 | +ifneq ($(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS),y) |
6749 | +libblake2s-y += blake2s-selftest.o |
6750 | +endif |
6751 | diff --git a/lib/crypto/blake2s-generic.c b/lib/crypto/blake2s-generic.c |
6752 | new file mode 100644 |
6753 | index 0000000000000..04ff8df245136 |
6754 | --- /dev/null |
6755 | +++ b/lib/crypto/blake2s-generic.c |
6756 | @@ -0,0 +1,111 @@ |
6757 | +// SPDX-License-Identifier: GPL-2.0 OR MIT |
6758 | +/* |
6759 | + * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. |
6760 | + * |
6761 | + * This is an implementation of the BLAKE2s hash and PRF functions. |
6762 | + * |
6763 | + * Information: https://blake2.net/ |
6764 | + * |
6765 | + */ |
6766 | + |
6767 | +#include <crypto/internal/blake2s.h> |
6768 | +#include <linux/types.h> |
6769 | +#include <linux/string.h> |
6770 | +#include <linux/kernel.h> |
6771 | +#include <linux/module.h> |
6772 | +#include <linux/init.h> |
6773 | +#include <linux/bug.h> |
6774 | +#include <asm/unaligned.h> |
6775 | + |
6776 | +static const u8 blake2s_sigma[10][16] = { |
6777 | + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, |
6778 | + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, |
6779 | + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, |
6780 | + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, |
6781 | + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, |
6782 | + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, |
6783 | + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, |
6784 | + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, |
6785 | + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, |
6786 | + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, |
6787 | +}; |
6788 | + |
6789 | +static inline void blake2s_increment_counter(struct blake2s_state *state, |
6790 | + const u32 inc) |
6791 | +{ |
6792 | + state->t[0] += inc; |
6793 | + state->t[1] += (state->t[0] < inc); |
6794 | +} |
6795 | + |
6796 | +void blake2s_compress_generic(struct blake2s_state *state,const u8 *block, |
6797 | + size_t nblocks, const u32 inc) |
6798 | +{ |
6799 | + u32 m[16]; |
6800 | + u32 v[16]; |
6801 | + int i; |
6802 | + |
6803 | + WARN_ON(IS_ENABLED(DEBUG) && |
6804 | + (nblocks > 1 && inc != BLAKE2S_BLOCK_SIZE)); |
6805 | + |
6806 | + while (nblocks > 0) { |
6807 | + blake2s_increment_counter(state, inc); |
6808 | + memcpy(m, block, BLAKE2S_BLOCK_SIZE); |
6809 | + le32_to_cpu_array(m, ARRAY_SIZE(m)); |
6810 | + memcpy(v, state->h, 32); |
6811 | + v[ 8] = BLAKE2S_IV0; |
6812 | + v[ 9] = BLAKE2S_IV1; |
6813 | + v[10] = BLAKE2S_IV2; |
6814 | + v[11] = BLAKE2S_IV3; |
6815 | + v[12] = BLAKE2S_IV4 ^ state->t[0]; |
6816 | + v[13] = BLAKE2S_IV5 ^ state->t[1]; |
6817 | + v[14] = BLAKE2S_IV6 ^ state->f[0]; |
6818 | + v[15] = BLAKE2S_IV7 ^ state->f[1]; |
6819 | + |
6820 | +#define G(r, i, a, b, c, d) do { \ |
6821 | + a += b + m[blake2s_sigma[r][2 * i + 0]]; \ |
6822 | + d = ror32(d ^ a, 16); \ |
6823 | + c += d; \ |
6824 | + b = ror32(b ^ c, 12); \ |
6825 | + a += b + m[blake2s_sigma[r][2 * i + 1]]; \ |
6826 | + d = ror32(d ^ a, 8); \ |
6827 | + c += d; \ |
6828 | + b = ror32(b ^ c, 7); \ |
6829 | +} while (0) |
6830 | + |
6831 | +#define ROUND(r) do { \ |
6832 | + G(r, 0, v[0], v[ 4], v[ 8], v[12]); \ |
6833 | + G(r, 1, v[1], v[ 5], v[ 9], v[13]); \ |
6834 | + G(r, 2, v[2], v[ 6], v[10], v[14]); \ |
6835 | + G(r, 3, v[3], v[ 7], v[11], v[15]); \ |
6836 | + G(r, 4, v[0], v[ 5], v[10], v[15]); \ |
6837 | + G(r, 5, v[1], v[ 6], v[11], v[12]); \ |
6838 | + G(r, 6, v[2], v[ 7], v[ 8], v[13]); \ |
6839 | + G(r, 7, v[3], v[ 4], v[ 9], v[14]); \ |
6840 | +} while (0) |
6841 | + ROUND(0); |
6842 | + ROUND(1); |
6843 | + ROUND(2); |
6844 | + ROUND(3); |
6845 | + ROUND(4); |
6846 | + ROUND(5); |
6847 | + ROUND(6); |
6848 | + ROUND(7); |
6849 | + ROUND(8); |
6850 | + ROUND(9); |
6851 | + |
6852 | +#undef G |
6853 | +#undef ROUND |
6854 | + |
6855 | + for (i = 0; i < 8; ++i) |
6856 | + state->h[i] ^= v[i] ^ v[i + 8]; |
6857 | + |
6858 | + block += BLAKE2S_BLOCK_SIZE; |
6859 | + --nblocks; |
6860 | + } |
6861 | +} |
6862 | + |
6863 | +EXPORT_SYMBOL(blake2s_compress_generic); |
6864 | + |
6865 | +MODULE_LICENSE("GPL v2"); |
6866 | +MODULE_DESCRIPTION("BLAKE2s hash function"); |
6867 | +MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>"); |
6868 | diff --git a/lib/crypto/blake2s-selftest.c b/lib/crypto/blake2s-selftest.c |
6869 | new file mode 100644 |
6870 | index 0000000000000..7a9edc96ddddf |
6871 | --- /dev/null |
6872 | +++ b/lib/crypto/blake2s-selftest.c |
6873 | @@ -0,0 +1,591 @@ |
6874 | +// SPDX-License-Identifier: GPL-2.0 OR MIT |
6875 | +/* |
6876 | + * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. |
6877 | + */ |
6878 | + |
6879 | +#include <crypto/blake2s.h> |
6880 | +#include <linux/string.h> |
6881 | + |
6882 | +/* |
6883 | + * blake2s_testvecs[] generated with the program below (using libb2-dev and |
6884 | + * libssl-dev [OpenSSL]) |
6885 | + * |
6886 | + * #include <blake2.h> |
6887 | + * #include <stdint.h> |
6888 | + * #include <stdio.h> |
6889 | + * |
6890 | + * #include <openssl/evp.h> |
6891 | + * |
6892 | + * #define BLAKE2S_TESTVEC_COUNT 256 |
6893 | + * |
6894 | + * static void print_vec(const uint8_t vec[], int len) |
6895 | + * { |
6896 | + * int i; |
6897 | + * |
6898 | + * printf(" { "); |
6899 | + * for (i = 0; i < len; i++) { |
6900 | + * if (i && (i % 12) == 0) |
6901 | + * printf("\n "); |
6902 | + * printf("0x%02x, ", vec[i]); |
6903 | + * } |
6904 | + * printf("},\n"); |
6905 | + * } |
6906 | + * |
6907 | + * int main(void) |
6908 | + * { |
6909 | + * uint8_t key[BLAKE2S_KEYBYTES]; |
6910 | + * uint8_t buf[BLAKE2S_TESTVEC_COUNT]; |
6911 | + * uint8_t hash[BLAKE2S_OUTBYTES]; |
6912 | + * int i, j; |
6913 | + * |
6914 | + * key[0] = key[1] = 1; |
6915 | + * for (i = 2; i < BLAKE2S_KEYBYTES; ++i) |
6916 | + * key[i] = key[i - 2] + key[i - 1]; |
6917 | + * |
6918 | + * for (i = 0; i < BLAKE2S_TESTVEC_COUNT; ++i) |
6919 | + * buf[i] = (uint8_t)i; |
6920 | + * |
6921 | + * printf("static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n"); |
6922 | + * |
6923 | + * for (i = 0; i < BLAKE2S_TESTVEC_COUNT; ++i) { |
6924 | + * int outlen = 1 + i % BLAKE2S_OUTBYTES; |
6925 | + * int keylen = (13 * i) % (BLAKE2S_KEYBYTES + 1); |
6926 | + * |
6927 | + * blake2s(hash, buf, key + BLAKE2S_KEYBYTES - keylen, outlen, i, |
6928 | + * keylen); |
6929 | + * print_vec(hash, outlen); |
6930 | + * } |
6931 | + * printf("};\n\n"); |
6932 | + * |
6933 | + * return 0; |
6934 | + *} |
6935 | + */ |
6936 | +static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = { |
6937 | + { 0xa1, }, |
6938 | + { 0x7c, 0x89, }, |
6939 | + { 0x74, 0x0e, 0xd4, }, |
6940 | + { 0x47, 0x0c, 0x21, 0x15, }, |
6941 | + { 0x18, 0xd6, 0x9c, 0xa6, 0xc4, }, |
6942 | + { 0x13, 0x5d, 0x16, 0x63, 0x2e, 0xf9, }, |
6943 | + { 0x2c, 0xb5, 0x04, 0xb7, 0x99, 0xe2, 0x73, }, |
6944 | + { 0x9a, 0x0f, 0xd2, 0x39, 0xd6, 0x68, 0x1b, 0x92, }, |
6945 | + { 0xc8, 0xde, 0x7a, 0xea, 0x2f, 0xf4, 0xd2, 0xe3, 0x2b, }, |
6946 | + { 0x5b, 0xf9, 0x43, 0x52, 0x0c, 0x12, 0xba, 0xb5, 0x93, 0x9f, }, |
6947 | + { 0xc6, 0x2c, 0x4e, 0x80, 0xfc, 0x32, 0x5b, 0x33, 0xb8, 0xb8, 0x0a, }, |
6948 | + { 0xa7, 0x5c, 0xfd, 0x3a, 0xcc, 0xbf, 0x90, 0xca, 0xb7, 0x97, 0xde, 0xd8, }, |
6949 | + { 0x66, 0xca, 0x3c, 0xc4, 0x19, 0xef, 0x92, 0x66, 0x3f, 0x21, 0x8f, 0xda, |
6950 | + 0xb7, }, |
6951 | + { 0xba, 0xe5, 0xbb, 0x30, 0x25, 0x94, 0x6d, 0xc3, 0x89, 0x09, 0xc4, 0x25, |
6952 | + 0x52, 0x3e, }, |
6953 | + { 0xa2, 0xef, 0x0e, 0x52, 0x0b, 0x5f, 0xa2, 0x01, 0x6d, 0x0a, 0x25, 0xbc, |
6954 | + 0x57, 0xe2, 0x27, }, |
6955 | + { 0x4f, 0xe0, 0xf9, 0x52, 0x12, 0xda, 0x84, 0xb7, 0xab, 0xae, 0xb0, 0xa6, |
6956 | + 0x47, 0x2a, 0xc7, 0xf5, }, |
6957 | + { 0x56, 0xe7, 0xa8, 0x1c, 0x4c, 0xca, 0xed, 0x90, 0x31, 0xec, 0x87, 0x43, |
6958 | + 0xe7, 0x72, 0x08, 0xec, 0xbe, }, |
6959 | + { 0x7e, 0xdf, 0x80, 0x1c, 0x93, 0x33, 0xfd, 0x53, 0x44, 0xba, 0xfd, 0x96, |
6960 | + 0xe1, 0xbb, 0xb5, 0x65, 0xa5, 0x00, }, |
6961 | + { 0xec, 0x6b, 0xed, 0xf7, 0x7b, 0x62, 0x1d, 0x7d, 0xf4, 0x82, 0xf3, 0x1e, |
6962 | + 0x18, 0xff, 0x2b, 0xc4, 0x06, 0x20, 0x2a, }, |
6963 | + { 0x74, 0x98, 0xd7, 0x68, 0x63, 0xed, 0x87, 0xe4, 0x5d, 0x8d, 0x9e, 0x1d, |
6964 | + 0xfd, 0x2a, 0xbb, 0x86, 0xac, 0xe9, 0x2a, 0x89, }, |
6965 | + { 0x89, 0xc3, 0x88, 0xce, 0x2b, 0x33, 0x1e, 0x10, 0xd1, 0x37, 0x20, 0x86, |
6966 | + 0x28, 0x43, 0x70, 0xd9, 0xfb, 0x96, 0xd9, 0xb5, 0xd3, }, |
6967 | + { 0xcb, 0x56, 0x74, 0x41, 0x8d, 0x80, 0x01, 0x9a, 0x6b, 0x38, 0xe1, 0x41, |
6968 | + 0xad, 0x9c, 0x62, 0x74, 0xce, 0x35, 0xd5, 0x6c, 0x89, 0x6e, }, |
6969 | + { 0x79, 0xaf, 0x94, 0x59, 0x99, 0x26, 0xe1, 0xc9, 0x34, 0xfe, 0x7c, 0x22, |
6970 | + 0xf7, 0x43, 0xd7, 0x65, 0xd4, 0x48, 0x18, 0xac, 0x3d, 0xfd, 0x93, }, |
6971 | + { 0x85, 0x0d, 0xff, 0xb8, 0x3e, 0x87, 0x41, 0xb0, 0x95, 0xd3, 0x3d, 0x00, |
6972 | + 0x47, 0x55, 0x9e, 0xd2, 0x69, 0xea, 0xbf, 0xe9, 0x7a, 0x2d, 0x61, 0x45, }, |
6973 | + { 0x03, 0xe0, 0x85, 0xec, 0x54, 0xb5, 0x16, 0x53, 0xa8, 0xc4, 0x71, 0xe9, |
6974 | + 0x6a, 0xe7, 0xcb, 0xc4, 0x15, 0x02, 0xfc, 0x34, 0xa4, 0xa4, 0x28, 0x13, |
6975 | + 0xd1, }, |
6976 | + { 0xe3, 0x34, 0x4b, 0xe1, 0xd0, 0x4b, 0x55, 0x61, 0x8f, 0xc0, 0x24, 0x05, |
6977 | + 0xe6, 0xe0, 0x3d, 0x70, 0x24, 0x4d, 0xda, 0xb8, 0x91, 0x05, 0x29, 0x07, |
6978 | + 0x01, 0x3e, }, |
6979 | + { 0x61, 0xff, 0x01, 0x72, 0xb1, 0x4d, 0xf6, 0xfe, 0xd1, 0xd1, 0x08, 0x74, |
6980 | + 0xe6, 0x91, 0x44, 0xeb, 0x61, 0xda, 0x40, 0xaf, 0xfc, 0x8c, 0x91, 0x6b, |
6981 | + 0xec, 0x13, 0xed, }, |
6982 | + { 0xd4, 0x40, 0xd2, 0xa0, 0x7f, 0xc1, 0x58, 0x0c, 0x85, 0xa0, 0x86, 0xc7, |
6983 | + 0x86, 0xb9, 0x61, 0xc9, 0xea, 0x19, 0x86, 0x1f, 0xab, 0x07, 0xce, 0x37, |
6984 | + 0x72, 0x67, 0x09, 0xfc, }, |
6985 | + { 0x9e, 0xf8, 0x18, 0x67, 0x93, 0x10, 0x9b, 0x39, 0x75, 0xe8, 0x8b, 0x38, |
6986 | + 0x82, 0x7d, 0xb8, 0xb7, 0xa5, 0xaf, 0xe6, 0x6a, 0x22, 0x5e, 0x1f, 0x9c, |
6987 | + 0x95, 0x29, 0x19, 0xf2, 0x4b, }, |
6988 | + { 0xc8, 0x62, 0x25, 0xf5, 0x98, 0xc9, 0xea, 0xe5, 0x29, 0x3a, 0xd3, 0x22, |
6989 | + 0xeb, 0xeb, 0x07, 0x7c, 0x15, 0x07, 0xee, 0x15, 0x61, 0xbb, 0x05, 0x30, |
6990 | + 0x99, 0x7f, 0x11, 0xf6, 0x0a, 0x1d, }, |
6991 | + { 0x68, 0x70, 0xf7, 0x90, 0xa1, 0x8b, 0x1f, 0x0f, 0xbb, 0xce, 0xd2, 0x0e, |
6992 | + 0x33, 0x1f, 0x7f, 0xa9, 0x78, 0xa8, 0xa6, 0x81, 0x66, 0xab, 0x8d, 0xcd, |
6993 | + 0x58, 0x55, 0x3a, 0x0b, 0x7a, 0xdb, 0xb5, }, |
6994 | + { 0xdd, 0x35, 0xd2, 0xb4, 0xf6, 0xc7, 0xea, 0xab, 0x64, 0x24, 0x4e, 0xfe, |
6995 | + 0xe5, 0x3d, 0x4e, 0x95, 0x8b, 0x6d, 0x6c, 0xbc, 0xb0, 0xf8, 0x88, 0x61, |
6996 | + 0x09, 0xb7, 0x78, 0xa3, 0x31, 0xfe, 0xd9, 0x2f, }, |
6997 | + { 0x0a, }, |
6998 | + { 0x6e, 0xd4, }, |
6999 | + { 0x64, 0xe9, 0xd1, }, |
7000 | + { 0x30, 0xdd, 0x71, 0xef, }, |
7001 | + { 0x11, 0xb5, 0x0c, 0x87, 0xc9, }, |
7002 | + { 0x06, 0x1c, 0x6d, 0x04, 0x82, 0xd0, }, |
7003 | + { 0x5c, 0x42, 0x0b, 0xee, 0xc5, 0x9c, 0xb2, }, |
7004 | + { 0xe8, 0x29, 0xd6, 0xb4, 0x5d, 0xf7, 0x2b, 0x93, }, |
7005 | + { 0x18, 0xca, 0x27, 0x72, 0x43, 0x39, 0x16, 0xbc, 0x6a, }, |
7006 | + { 0x39, 0x8f, 0xfd, 0x64, 0xf5, 0x57, 0x23, 0xb0, 0x45, 0xf8, }, |
7007 | + { 0xbb, 0x3a, 0x78, 0x6b, 0x02, 0x1d, 0x0b, 0x16, 0xe3, 0xb2, 0x9a, }, |
7008 | + { 0xb8, 0xb4, 0x0b, 0xe5, 0xd4, 0x1d, 0x0d, 0x85, 0x49, 0x91, 0x35, 0xfa, }, |
7009 | + { 0x6d, 0x48, 0x2a, 0x0c, 0x42, 0x08, 0xbd, 0xa9, 0x78, 0x6f, 0x18, 0xaf, |
7010 | + 0xe2, }, |
7011 | + { 0x10, 0x45, 0xd4, 0x58, 0x88, 0xec, 0x4e, 0x1e, 0xf6, 0x14, 0x92, 0x64, |
7012 | + 0x7e, 0xb0, }, |
7013 | + { 0x8b, 0x0b, 0x95, 0xee, 0x92, 0xc6, 0x3b, 0x91, 0xf1, 0x1e, 0xeb, 0x51, |
7014 | + 0x98, 0x0a, 0x8d, }, |
7015 | + { 0xa3, 0x50, 0x4d, 0xa5, 0x1d, 0x03, 0x68, 0xe9, 0x57, 0x78, 0xd6, 0x04, |
7016 | + 0xf1, 0xc3, 0x94, 0xd8, }, |
7017 | + { 0xb8, 0x66, 0x6e, 0xdd, 0x46, 0x15, 0xae, 0x3d, 0x83, 0x7e, 0xcf, 0xe7, |
7018 | + 0x2c, 0xe8, 0x8f, 0xc7, 0x34, }, |
7019 | + { 0x2e, 0xc0, 0x1f, 0x29, 0xea, 0xf6, 0xb9, 0xe2, 0xc2, 0x93, 0xeb, 0x41, |
7020 | + 0x0d, 0xf0, 0x0a, 0x13, 0x0e, 0xa2, }, |
7021 | + { 0x71, 0xb8, 0x33, 0xa9, 0x1b, 0xac, 0xf1, 0xb5, 0x42, 0x8f, 0x5e, 0x81, |
7022 | + 0x34, 0x43, 0xb7, 0xa4, 0x18, 0x5c, 0x47, }, |
7023 | + { 0xda, 0x45, 0xb8, 0x2e, 0x82, 0x1e, 0xc0, 0x59, 0x77, 0x9d, 0xfa, 0xb4, |
7024 | + 0x1c, 0x5e, 0xa0, 0x2b, 0x33, 0x96, 0x5a, 0x58, }, |
7025 | + { 0xe3, 0x09, 0x05, 0xa9, 0xeb, 0x48, 0x13, 0xad, 0x71, 0x88, 0x81, 0x9a, |
7026 | + 0x3e, 0x2c, 0xe1, 0x23, 0x99, 0x13, 0x35, 0x9f, 0xb5, }, |
7027 | + { 0xb7, 0x86, 0x2d, 0x16, 0xe1, 0x04, 0x00, 0x47, 0x47, 0x61, 0x31, 0xfb, |
7028 | + 0x14, 0xac, 0xd8, 0xe9, 0xe3, 0x49, 0xbd, 0xf7, 0x9c, 0x3f, }, |
7029 | + { 0x7f, 0xd9, 0x95, 0xa8, 0xa7, 0xa0, 0xcc, 0xba, 0xef, 0xb1, 0x0a, 0xa9, |
7030 | + 0x21, 0x62, 0x08, 0x0f, 0x1b, 0xff, 0x7b, 0x9d, 0xae, 0xb2, 0x95, }, |
7031 | + { 0x85, 0x99, 0xea, 0x33, 0xe0, 0x56, 0xff, 0x13, 0xc6, 0x61, 0x8c, 0xf9, |
7032 | + 0x57, 0x05, 0x03, 0x11, 0xf9, 0xfb, 0x3a, 0xf7, 0xce, 0xbb, 0x52, 0x30, }, |
7033 | + { 0xb2, 0x72, 0x9c, 0xf8, 0x77, 0x4e, 0x8f, 0x6b, 0x01, 0x6c, 0xff, 0x4e, |
7034 | + 0x4f, 0x02, 0xd2, 0xbc, 0xeb, 0x51, 0x28, 0x99, 0x50, 0xab, 0xc4, 0x42, |
7035 | + 0xe3, }, |
7036 | + { 0x8b, 0x0a, 0xb5, 0x90, 0x8f, 0xf5, 0x7b, 0xdd, 0xba, 0x47, 0x37, 0xc9, |
7037 | + 0x2a, 0xd5, 0x4b, 0x25, 0x08, 0x8b, 0x02, 0x17, 0xa7, 0x9e, 0x6b, 0x6e, |
7038 | + 0xe3, 0x90, }, |
7039 | + { 0x90, 0xdd, 0xf7, 0x75, 0xa7, 0xa3, 0x99, 0x5e, 0x5b, 0x7d, 0x75, 0xc3, |
7040 | + 0x39, 0x6b, 0xa0, 0xe2, 0x44, 0x53, 0xb1, 0x9e, 0xc8, 0xf1, 0x77, 0x10, |
7041 | + 0x58, 0x06, 0x9a, }, |
7042 | + { 0x99, 0x52, 0xf0, 0x49, 0xa8, 0x8c, 0xec, 0xa6, 0x97, 0x32, 0x13, 0xb5, |
7043 | + 0xf7, 0xa3, 0x8e, 0xfb, 0x4b, 0x59, 0x31, 0x3d, 0x01, 0x59, 0x98, 0x5d, |
7044 | + 0x53, 0x03, 0x1a, 0x39, }, |
7045 | + { 0x9f, 0xe0, 0xc2, 0xe5, 0x5d, 0x93, 0xd6, 0x9b, 0x47, 0x8f, 0x9b, 0xe0, |
7046 | + 0x26, 0x35, 0x84, 0x20, 0x1d, 0xc5, 0x53, 0x10, 0x0f, 0x22, 0xb9, 0xb5, |
7047 | + 0xd4, 0x36, 0xb1, 0xac, 0x73, }, |
7048 | + { 0x30, 0x32, 0x20, 0x3b, 0x10, 0x28, 0xec, 0x1f, 0x4f, 0x9b, 0x47, 0x59, |
7049 | + 0xeb, 0x7b, 0xee, 0x45, 0xfb, 0x0c, 0x49, 0xd8, 0x3d, 0x69, 0xbd, 0x90, |
7050 | + 0x2c, 0xf0, 0x9e, 0x8d, 0xbf, 0xd5, }, |
7051 | + { 0x2a, 0x37, 0x73, 0x7f, 0xf9, 0x96, 0x19, 0xaa, 0x25, 0xd8, 0x13, 0x28, |
7052 | + 0x01, 0x29, 0x89, 0xdf, 0x6e, 0x0c, 0x9b, 0x43, 0x44, 0x51, 0xe9, 0x75, |
7053 | + 0x26, 0x0c, 0xb7, 0x87, 0x66, 0x0b, 0x5f, }, |
7054 | + { 0x23, 0xdf, 0x96, 0x68, 0x91, 0x86, 0xd0, 0x93, 0x55, 0x33, 0x24, 0xf6, |
7055 | + 0xba, 0x08, 0x75, 0x5b, 0x59, 0x11, 0x69, 0xb8, 0xb9, 0xe5, 0x2c, 0x77, |
7056 | + 0x02, 0xf6, 0x47, 0xee, 0x81, 0xdd, 0xb9, 0x06, }, |
7057 | + { 0x9d, }, |
7058 | + { 0x9d, 0x7d, }, |
7059 | + { 0xfd, 0xc3, 0xda, }, |
7060 | + { 0xe8, 0x82, 0xcd, 0x21, }, |
7061 | + { 0xc3, 0x1d, 0x42, 0x4c, 0x74, }, |
7062 | + { 0xe9, 0xda, 0xf1, 0xa2, 0xe5, 0x7c, }, |
7063 | + { 0x52, 0xb8, 0x6f, 0x81, 0x5c, 0x3a, 0x4c, }, |
7064 | + { 0x5b, 0x39, 0x26, 0xfc, 0x92, 0x5e, 0xe0, 0x49, }, |
7065 | + { 0x59, 0xe4, 0x7c, 0x93, 0x1c, 0xf9, 0x28, 0x93, 0xde, }, |
7066 | + { 0xde, 0xdf, 0xb2, 0x43, 0x61, 0x0b, 0x86, 0x16, 0x4c, 0x2e, }, |
7067 | + { 0x14, 0x8f, 0x75, 0x51, 0xaf, 0xb9, 0xee, 0x51, 0x5a, 0xae, 0x23, }, |
7068 | + { 0x43, 0x5f, 0x50, 0xd5, 0x70, 0xb0, 0x5b, 0x87, 0xf5, 0xd9, 0xb3, 0x6d, }, |
7069 | + { 0x66, 0x0a, 0x64, 0x93, 0x79, 0x71, 0x94, 0x40, 0xb7, 0x68, 0x2d, 0xd3, |
7070 | + 0x63, }, |
7071 | + { 0x15, 0x00, 0xc4, 0x0c, 0x7d, 0x1b, 0x10, 0xa9, 0x73, 0x1b, 0x90, 0x6f, |
7072 | + 0xe6, 0xa9, }, |
7073 | + { 0x34, 0x75, 0xf3, 0x86, 0x8f, 0x56, 0xcf, 0x2a, 0x0a, 0xf2, 0x62, 0x0a, |
7074 | + 0xf6, 0x0e, 0x20, }, |
7075 | + { 0xb1, 0xde, 0xc9, 0xf5, 0xdb, 0xf3, 0x2f, 0x4c, 0xd6, 0x41, 0x7d, 0x39, |
7076 | + 0x18, 0x3e, 0xc7, 0xc3, }, |
7077 | + { 0xc5, 0x89, 0xb2, 0xf8, 0xb8, 0xc0, 0xa3, 0xb9, 0x3b, 0x10, 0x6d, 0x7c, |
7078 | + 0x92, 0xfc, 0x7f, 0x34, 0x41, }, |
7079 | + { 0xc4, 0xd8, 0xef, 0xba, 0xef, 0xd2, 0xaa, 0xc5, 0x6c, 0x8e, 0x3e, 0xbb, |
7080 | + 0x12, 0xfc, 0x0f, 0x72, 0xbf, 0x0f, }, |
7081 | + { 0xdd, 0x91, 0xd1, 0x15, 0x9e, 0x7d, 0xf8, 0xc1, 0xb9, 0x14, 0x63, 0x96, |
7082 | + 0xb5, 0xcb, 0x83, 0x1d, 0x35, 0x1c, 0xec, }, |
7083 | + { 0xa9, 0xf8, 0x52, 0xc9, 0x67, 0x76, 0x2b, 0xad, 0xfb, 0xd8, 0x3a, 0xa6, |
7084 | + 0x74, 0x02, 0xae, 0xb8, 0x25, 0x2c, 0x63, 0x49, }, |
7085 | + { 0x77, 0x1f, 0x66, 0x70, 0xfd, 0x50, 0x29, 0xaa, 0xeb, 0xdc, 0xee, 0xba, |
7086 | + 0x75, 0x98, 0xdc, 0x93, 0x12, 0x3f, 0xdc, 0x7c, 0x38, }, |
7087 | + { 0xe2, 0xe1, 0x89, 0x5c, 0x37, 0x38, 0x6a, 0xa3, 0x40, 0xac, 0x3f, 0xb0, |
7088 | + 0xca, 0xfc, 0xa7, 0xf3, 0xea, 0xf9, 0x0f, 0x5d, 0x8e, 0x39, }, |
7089 | + { 0x0f, 0x67, 0xc8, 0x38, 0x01, 0xb1, 0xb7, 0xb8, 0xa2, 0xe7, 0x0a, 0x6d, |
7090 | + 0xd2, 0x63, 0x69, 0x9e, 0xcc, 0xf0, 0xf2, 0xbe, 0x9b, 0x98, 0xdd, }, |
7091 | + { 0x13, 0xe1, 0x36, 0x30, 0xfe, 0xc6, 0x01, 0x8a, 0xa1, 0x63, 0x96, 0x59, |
7092 | + 0xc2, 0xa9, 0x68, 0x3f, 0x58, 0xd4, 0x19, 0x0c, 0x40, 0xf3, 0xde, 0x02, }, |
7093 | + { 0xa3, 0x9e, 0xce, 0xda, 0x42, 0xee, 0x8c, 0x6c, 0x5a, 0x7d, 0xdc, 0x89, |
7094 | + 0x02, 0x77, 0xdd, 0xe7, 0x95, 0xbb, 0xff, 0x0d, 0xa4, 0xb5, 0x38, 0x1e, |
7095 | + 0xaf, }, |
7096 | + { 0x9a, 0xf6, 0xb5, 0x9a, 0x4f, 0xa9, 0x4f, 0x2c, 0x35, 0x3c, 0x24, 0xdc, |
7097 | + 0x97, 0x6f, 0xd9, 0xa1, 0x7d, 0x1a, 0x85, 0x0b, 0xf5, 0xda, 0x2e, 0xe7, |
7098 | + 0xb1, 0x1d, }, |
7099 | + { 0x84, 0x1e, 0x8e, 0x3d, 0x45, 0xa5, 0xf2, 0x27, 0xf3, 0x31, 0xfe, 0xb9, |
7100 | + 0xfb, 0xc5, 0x45, 0x99, 0x99, 0xdd, 0x93, 0x43, 0x02, 0xee, 0x58, 0xaf, |
7101 | + 0xee, 0x6a, 0xbe, }, |
7102 | + { 0x07, 0x2f, 0xc0, 0xa2, 0x04, 0xc4, 0xab, 0x7c, 0x26, 0xbb, 0xa8, 0xd8, |
7103 | + 0xe3, 0x1c, 0x75, 0x15, 0x64, 0x5d, 0x02, 0x6a, 0xf0, 0x86, 0xe9, 0xcd, |
7104 | + 0x5c, 0xef, 0xa3, 0x25, }, |
7105 | + { 0x2f, 0x3b, 0x1f, 0xb5, 0x91, 0x8f, 0x86, 0xe0, 0xdc, 0x31, 0x48, 0xb6, |
7106 | + 0xa1, 0x8c, 0xfd, 0x75, 0xbb, 0x7d, 0x3d, 0xc1, 0xf0, 0x10, 0x9a, 0xd8, |
7107 | + 0x4b, 0x0e, 0xe3, 0x94, 0x9f, }, |
7108 | + { 0x29, 0xbb, 0x8f, 0x6c, 0xd1, 0xf2, 0xb6, 0xaf, 0xe5, 0xe3, 0x2d, 0xdc, |
7109 | + 0x6f, 0xa4, 0x53, 0x88, 0xd8, 0xcf, 0x4d, 0x45, 0x42, 0x62, 0xdb, 0xdf, |
7110 | + 0xf8, 0x45, 0xc2, 0x13, 0xec, 0x35, }, |
7111 | + { 0x06, 0x3c, 0xe3, 0x2c, 0x15, 0xc6, 0x43, 0x03, 0x81, 0xfb, 0x08, 0x76, |
7112 | + 0x33, 0xcb, 0x02, 0xc1, 0xba, 0x33, 0xe5, 0xe0, 0xd1, 0x92, 0xa8, 0x46, |
7113 | + 0x28, 0x3f, 0x3e, 0x9d, 0x2c, 0x44, 0x54, }, |
7114 | + { 0xea, 0xbb, 0x96, 0xf8, 0xd1, 0x8b, 0x04, 0x11, 0x40, 0x78, 0x42, 0x02, |
7115 | + 0x19, 0xd1, 0xbc, 0x65, 0x92, 0xd3, 0xc3, 0xd6, 0xd9, 0x19, 0xe7, 0xc3, |
7116 | + 0x40, 0x97, 0xbd, 0xd4, 0xed, 0xfa, 0x5e, 0x28, }, |
7117 | + { 0x02, }, |
7118 | + { 0x52, 0xa8, }, |
7119 | + { 0x38, 0x25, 0x0d, }, |
7120 | + { 0xe3, 0x04, 0xd4, 0x92, }, |
7121 | + { 0x97, 0xdb, 0xf7, 0x81, 0xca, }, |
7122 | + { 0x8a, 0x56, 0x9d, 0x62, 0x56, 0xcc, }, |
7123 | + { 0xa1, 0x8e, 0x3c, 0x72, 0x8f, 0x63, 0x03, }, |
7124 | + { 0xf7, 0xf3, 0x39, 0x09, 0x0a, 0xa1, 0xbb, 0x23, }, |
7125 | + { 0x6b, 0x03, 0xc0, 0xe9, 0xd9, 0x83, 0x05, 0x22, 0x01, }, |
7126 | + { 0x1b, 0x4b, 0xf5, 0xd6, 0x4f, 0x05, 0x75, 0x91, 0x4c, 0x7f, }, |
7127 | + { 0x4c, 0x8c, 0x25, 0x20, 0x21, 0xcb, 0xc2, 0x4b, 0x3a, 0x5b, 0x8d, }, |
7128 | + { 0x56, 0xe2, 0x77, 0xa0, 0xb6, 0x9f, 0x81, 0xec, 0x83, 0x75, 0xc4, 0xf9, }, |
7129 | + { 0x71, 0x70, 0x0f, 0xad, 0x4d, 0x35, 0x81, 0x9d, 0x88, 0x69, 0xf9, 0xaa, |
7130 | + 0xd3, }, |
7131 | + { 0x50, 0x6e, 0x86, 0x6e, 0x43, 0xc0, 0xc2, 0x44, 0xc2, 0xe2, 0xa0, 0x1c, |
7132 | + 0xb7, 0x9a, }, |
7133 | + { 0xe4, 0x7e, 0x72, 0xc6, 0x12, 0x8e, 0x7c, 0xfc, 0xbd, 0xe2, 0x08, 0x31, |
7134 | + 0x3d, 0x47, 0x3d, }, |
7135 | + { 0x08, 0x97, 0x5b, 0x80, 0xae, 0xc4, 0x1d, 0x50, 0x77, 0xdf, 0x1f, 0xd0, |
7136 | + 0x24, 0xf0, 0x17, 0xc0, }, |
7137 | + { 0x01, 0xb6, 0x29, 0xf4, 0xaf, 0x78, 0x5f, 0xb6, 0x91, 0xdd, 0x76, 0x76, |
7138 | + 0xd2, 0xfd, 0x0c, 0x47, 0x40, }, |
7139 | + { 0xa1, 0xd8, 0x09, 0x97, 0x7a, 0xa6, 0xc8, 0x94, 0xf6, 0x91, 0x7b, 0xae, |
7140 | + 0x2b, 0x9f, 0x0d, 0x83, 0x48, 0xf7, }, |
7141 | + { 0x12, 0xd5, 0x53, 0x7d, 0x9a, 0xb0, 0xbe, 0xd9, 0xed, 0xe9, 0x9e, 0xee, |
7142 | + 0x61, 0x5b, 0x42, 0xf2, 0xc0, 0x73, 0xc0, }, |
7143 | + { 0xd5, 0x77, 0xd6, 0x5c, 0x6e, 0xa5, 0x69, 0x2b, 0x3b, 0x8c, 0xd6, 0x7d, |
7144 | + 0x1d, 0xbe, 0x2c, 0xa1, 0x02, 0x21, 0xcd, 0x29, }, |
7145 | + { 0xa4, 0x98, 0x80, 0xca, 0x22, 0xcf, 0x6a, 0xab, 0x5e, 0x40, 0x0d, 0x61, |
7146 | + 0x08, 0x21, 0xef, 0xc0, 0x6c, 0x52, 0xb4, 0xb0, 0x53, }, |
7147 | + { 0xbf, 0xaf, 0x8f, 0x3b, 0x7a, 0x97, 0x33, 0xe5, 0xca, 0x07, 0x37, 0xfd, |
7148 | + 0x15, 0xdf, 0xce, 0x26, 0x2a, 0xb1, 0xa7, 0x0b, 0xb3, 0xac, }, |
7149 | + { 0x16, 0x22, 0xe1, 0xbc, 0x99, 0x4e, 0x01, 0xf0, 0xfa, 0xff, 0x8f, 0xa5, |
7150 | + 0x0c, 0x61, 0xb0, 0xad, 0xcc, 0xb1, 0xe1, 0x21, 0x46, 0xfa, 0x2e, }, |
7151 | + { 0x11, 0x5b, 0x0b, 0x2b, 0xe6, 0x14, 0xc1, 0xd5, 0x4d, 0x71, 0x5e, 0x17, |
7152 | + 0xea, 0x23, 0xdd, 0x6c, 0xbd, 0x1d, 0xbe, 0x12, 0x1b, 0xee, 0x4c, 0x1a, }, |
7153 | + { 0x40, 0x88, 0x22, 0xf3, 0x20, 0x6c, 0xed, 0xe1, 0x36, 0x34, 0x62, 0x2c, |
7154 | + 0x98, 0x83, 0x52, 0xe2, 0x25, 0xee, 0xe9, 0xf5, 0xe1, 0x17, 0xf0, 0x5c, |
7155 | + 0xae, }, |
7156 | + { 0xc3, 0x76, 0x37, 0xde, 0x95, 0x8c, 0xca, 0x2b, 0x0c, 0x23, 0xe7, 0xb5, |
7157 | + 0x38, 0x70, 0x61, 0xcc, 0xff, 0xd3, 0x95, 0x7b, 0xf3, 0xff, 0x1f, 0x9d, |
7158 | + 0x59, 0x00, }, |
7159 | + { 0x0c, 0x19, 0x52, 0x05, 0x22, 0x53, 0xcb, 0x48, 0xd7, 0x10, 0x0e, 0x7e, |
7160 | + 0x14, 0x69, 0xb5, 0xa2, 0x92, 0x43, 0xa3, 0x9e, 0x4b, 0x8f, 0x51, 0x2c, |
7161 | + 0x5a, 0x2c, 0x3b, }, |
7162 | + { 0xe1, 0x9d, 0x70, 0x70, 0x28, 0xec, 0x86, 0x40, 0x55, 0x33, 0x56, 0xda, |
7163 | + 0x88, 0xca, 0xee, 0xc8, 0x6a, 0x20, 0xb1, 0xe5, 0x3d, 0x57, 0xf8, 0x3c, |
7164 | + 0x10, 0x07, 0x2a, 0xc4, }, |
7165 | + { 0x0b, 0xae, 0xf1, 0xc4, 0x79, 0xee, 0x1b, 0x3d, 0x27, 0x35, 0x8d, 0x14, |
7166 | + 0xd6, 0xae, 0x4e, 0x3c, 0xe9, 0x53, 0x50, 0xb5, 0xcc, 0x0c, 0xf7, 0xdf, |
7167 | + 0xee, 0xa1, 0x74, 0xd6, 0x71, }, |
7168 | + { 0xe6, 0xa4, 0xf4, 0x99, 0x98, 0xb9, 0x80, 0xea, 0x96, 0x7f, 0x4f, 0x33, |
7169 | + 0xcf, 0x74, 0x25, 0x6f, 0x17, 0x6c, 0xbf, 0xf5, 0x5c, 0x38, 0xd0, 0xff, |
7170 | + 0x96, 0xcb, 0x13, 0xf9, 0xdf, 0xfd, }, |
7171 | + { 0xbe, 0x92, 0xeb, 0xba, 0x44, 0x2c, 0x24, 0x74, 0xd4, 0x03, 0x27, 0x3c, |
7172 | + 0x5d, 0x5b, 0x03, 0x30, 0x87, 0x63, 0x69, 0xe0, 0xb8, 0x94, 0xf4, 0x44, |
7173 | + 0x7e, 0xad, 0xcd, 0x20, 0x12, 0x16, 0x79, }, |
7174 | + { 0x30, 0xf1, 0xc4, 0x8e, 0x05, 0x90, 0x2a, 0x97, 0x63, 0x94, 0x46, 0xff, |
7175 | + 0xce, 0xd8, 0x67, 0xa7, 0xac, 0x33, 0x8c, 0x95, 0xb7, 0xcd, 0xa3, 0x23, |
7176 | + 0x98, 0x9d, 0x76, 0x6c, 0x9d, 0xa8, 0xd6, 0x8a, }, |
7177 | + { 0xbe, }, |
7178 | + { 0x17, 0x6c, }, |
7179 | + { 0x1a, 0x42, 0x4f, }, |
7180 | + { 0xba, 0xaf, 0xb7, 0x65, }, |
7181 | + { 0xc2, 0x63, 0x43, 0x6a, 0xea, }, |
7182 | + { 0xe4, 0x4d, 0xad, 0xf2, 0x0b, 0x02, }, |
7183 | + { 0x04, 0xc7, 0xc4, 0x7f, 0xa9, 0x2b, 0xce, }, |
7184 | + { 0x66, 0xf6, 0x67, 0xcb, 0x03, 0x53, 0xc8, 0xf1, }, |
7185 | + { 0x56, 0xa3, 0x60, 0x78, 0xc9, 0x5f, 0x70, 0x1b, 0x5e, }, |
7186 | + { 0x99, 0xff, 0x81, 0x7c, 0x13, 0x3c, 0x29, 0x79, 0x4b, 0x65, }, |
7187 | + { 0x51, 0x10, 0x50, 0x93, 0x01, 0x93, 0xb7, 0x01, 0xc9, 0x18, 0xb7, }, |
7188 | + { 0x8e, 0x3c, 0x42, 0x1e, 0x5e, 0x7d, 0xc1, 0x50, 0x70, 0x1f, 0x00, 0x98, }, |
7189 | + { 0x5f, 0xd9, 0x9b, 0xc8, 0xd7, 0xb2, 0x72, 0x62, 0x1a, 0x1e, 0xba, 0x92, |
7190 | + 0xe9, }, |
7191 | + { 0x70, 0x2b, 0xba, 0xfe, 0xad, 0x5d, 0x96, 0x3f, 0x27, 0xc2, 0x41, 0x6d, |
7192 | + 0xc4, 0xb3, }, |
7193 | + { 0xae, 0xe0, 0xd5, 0xd4, 0xc7, 0xae, 0x15, 0x5e, 0xdc, 0xdd, 0x33, 0x60, |
7194 | + 0xd7, 0xd3, 0x5e, }, |
7195 | + { 0x79, 0x8e, 0xbc, 0x9e, 0x20, 0xb9, 0x19, 0x4b, 0x63, 0x80, 0xf3, 0x16, |
7196 | + 0xaf, 0x39, 0xbd, 0x92, }, |
7197 | + { 0xc2, 0x0e, 0x85, 0xa0, 0x0b, 0x9a, 0xb0, 0xec, 0xde, 0x38, 0xd3, 0x10, |
7198 | + 0xd9, 0xa7, 0x66, 0x27, 0xcf, }, |
7199 | + { 0x0e, 0x3b, 0x75, 0x80, 0x67, 0x14, 0x0c, 0x02, 0x90, 0xd6, 0xb3, 0x02, |
7200 | + 0x81, 0xf6, 0xa6, 0x87, 0xce, 0x58, }, |
7201 | + { 0x79, 0xb5, 0xe9, 0x5d, 0x52, 0x4d, 0xf7, 0x59, 0xf4, 0x2e, 0x27, 0xdd, |
7202 | + 0xb3, 0xed, 0x57, 0x5b, 0x82, 0xea, 0x6f, }, |
7203 | + { 0xa2, 0x97, 0xf5, 0x80, 0x02, 0x3d, 0xde, 0xa3, 0xf9, 0xf6, 0xab, 0xe3, |
7204 | + 0x57, 0x63, 0x7b, 0x9b, 0x10, 0x42, 0x6f, 0xf2, }, |
7205 | + { 0x12, 0x7a, 0xfc, 0xb7, 0x67, 0x06, 0x0c, 0x78, 0x1a, 0xfe, 0x88, 0x4f, |
7206 | + 0xc6, 0xac, 0x52, 0x96, 0x64, 0x28, 0x97, 0x84, 0x06, }, |
7207 | + { 0xc5, 0x04, 0x44, 0x6b, 0xb2, 0xa5, 0xa4, 0x66, 0xe1, 0x76, 0xa2, 0x51, |
7208 | + 0xf9, 0x59, 0x69, 0x97, 0x56, 0x0b, 0xbf, 0x50, 0xb3, 0x34, }, |
7209 | + { 0x21, 0x32, 0x6b, 0x42, 0xb5, 0xed, 0x71, 0x8d, 0xf7, 0x5a, 0x35, 0xe3, |
7210 | + 0x90, 0xe2, 0xee, 0xaa, 0x89, 0xf6, 0xc9, 0x9c, 0x4d, 0x73, 0xf4, }, |
7211 | + { 0x4c, 0xa6, 0x09, 0xf4, 0x48, 0xe7, 0x46, 0xbc, 0x49, 0xfc, 0xe5, 0xda, |
7212 | + 0xd1, 0x87, 0x13, 0x17, 0x4c, 0x59, 0x71, 0x26, 0x5b, 0x2c, 0x42, 0xb7, }, |
7213 | + { 0x13, 0x63, 0xf3, 0x40, 0x02, 0xe5, 0xa3, 0x3a, 0x5e, 0x8e, 0xf8, 0xb6, |
7214 | + 0x8a, 0x49, 0x60, 0x76, 0x34, 0x72, 0x94, 0x73, 0xf6, 0xd9, 0x21, 0x6a, |
7215 | + 0x26, }, |
7216 | + { 0xdf, 0x75, 0x16, 0x10, 0x1b, 0x5e, 0x81, 0xc3, 0xc8, 0xde, 0x34, 0x24, |
7217 | + 0xb0, 0x98, 0xeb, 0x1b, 0x8f, 0xa1, 0x9b, 0x05, 0xee, 0xa5, 0xe9, 0x35, |
7218 | + 0xf4, 0x1d, }, |
7219 | + { 0xcd, 0x21, 0x93, 0x6e, 0x5b, 0xa0, 0x26, 0x2b, 0x21, 0x0e, 0xa0, 0xb9, |
7220 | + 0x1c, 0xb5, 0xbb, 0xb8, 0xf8, 0x1e, 0xff, 0x5c, 0xa8, 0xf9, 0x39, 0x46, |
7221 | + 0x4e, 0x29, 0x26, }, |
7222 | + { 0x73, 0x7f, 0x0e, 0x3b, 0x0b, 0x5c, 0xf9, 0x60, 0xaa, 0x88, 0xa1, 0x09, |
7223 | + 0xb1, 0x5d, 0x38, 0x7b, 0x86, 0x8f, 0x13, 0x7a, 0x8d, 0x72, 0x7a, 0x98, |
7224 | + 0x1a, 0x5b, 0xff, 0xc9, }, |
7225 | + { 0xd3, 0x3c, 0x61, 0x71, 0x44, 0x7e, 0x31, 0x74, 0x98, 0x9d, 0x9a, 0xd2, |
7226 | + 0x27, 0xf3, 0x46, 0x43, 0x42, 0x51, 0xd0, 0x5f, 0xe9, 0x1c, 0x5c, 0x69, |
7227 | + 0xbf, 0xf6, 0xbe, 0x3c, 0x40, }, |
7228 | + { 0x31, 0x99, 0x31, 0x9f, 0xaa, 0x43, 0x2e, 0x77, 0x3e, 0x74, 0x26, 0x31, |
7229 | + 0x5e, 0x61, 0xf1, 0x87, 0xe2, 0xeb, 0x9b, 0xcd, 0xd0, 0x3a, 0xee, 0x20, |
7230 | + 0x7e, 0x10, 0x0a, 0x0b, 0x7e, 0xfa, }, |
7231 | + { 0xa4, 0x27, 0x80, 0x67, 0x81, 0x2a, 0xa7, 0x62, 0xf7, 0x6e, 0xda, 0xd4, |
7232 | + 0x5c, 0x39, 0x74, 0xad, 0x7e, 0xbe, 0xad, 0xa5, 0x84, 0x7f, 0xa9, 0x30, |
7233 | + 0x5d, 0xdb, 0xe2, 0x05, 0x43, 0xf7, 0x1b, }, |
7234 | + { 0x0b, 0x37, 0xd8, 0x02, 0xe1, 0x83, 0xd6, 0x80, 0xf2, 0x35, 0xc2, 0xb0, |
7235 | + 0x37, 0xef, 0xef, 0x5e, 0x43, 0x93, 0xf0, 0x49, 0x45, 0x0a, 0xef, 0xb5, |
7236 | + 0x76, 0x70, 0x12, 0x44, 0xc4, 0xdb, 0xf5, 0x7a, }, |
7237 | + { 0x1f, }, |
7238 | + { 0x82, 0x60, }, |
7239 | + { 0xcc, 0xe3, 0x08, }, |
7240 | + { 0x56, 0x17, 0xe4, 0x59, }, |
7241 | + { 0xe2, 0xd7, 0x9e, 0xc4, 0x4c, }, |
7242 | + { 0xb2, 0xad, 0xd3, 0x78, 0x58, 0x5a, }, |
7243 | + { 0xce, 0x43, 0xb4, 0x02, 0x96, 0xab, 0x3c, }, |
7244 | + { 0xe6, 0x05, 0x1a, 0x73, 0x22, 0x32, 0xbb, 0x77, }, |
7245 | + { 0x23, 0xe7, 0xda, 0xfe, 0x2c, 0xef, 0x8c, 0x22, 0xec, }, |
7246 | + { 0xe9, 0x8e, 0x55, 0x38, 0xd1, 0xd7, 0x35, 0x23, 0x98, 0xc7, }, |
7247 | + { 0xb5, 0x81, 0x1a, 0xe5, 0xb5, 0xa5, 0xd9, 0x4d, 0xca, 0x41, 0xe7, }, |
7248 | + { 0x41, 0x16, 0x16, 0x95, 0x8d, 0x9e, 0x0c, 0xea, 0x8c, 0x71, 0x9a, 0xc1, }, |
7249 | + { 0x7c, 0x33, 0xc0, 0xa4, 0x00, 0x62, 0xea, 0x60, 0x67, 0xe4, 0x20, 0xbc, |
7250 | + 0x5b, }, |
7251 | + { 0xdb, 0xb1, 0xdc, 0xfd, 0x08, 0xc0, 0xde, 0x82, 0xd1, 0xde, 0x38, 0xc0, |
7252 | + 0x90, 0x48, }, |
7253 | + { 0x37, 0x18, 0x2e, 0x0d, 0x61, 0xaa, 0x61, 0xd7, 0x86, 0x20, 0x16, 0x60, |
7254 | + 0x04, 0xd9, 0xd5, }, |
7255 | + { 0xb0, 0xcf, 0x2c, 0x4c, 0x5e, 0x5b, 0x4f, 0x2a, 0x23, 0x25, 0x58, 0x47, |
7256 | + 0xe5, 0x31, 0x06, 0x70, }, |
7257 | + { 0x91, 0xa0, 0xa3, 0x86, 0x4e, 0xe0, 0x72, 0x38, 0x06, 0x67, 0x59, 0x5c, |
7258 | + 0x70, 0x25, 0xdb, 0x33, 0x27, }, |
7259 | + { 0x44, 0x58, 0x66, 0xb8, 0x58, 0xc7, 0x13, 0xed, 0x4c, 0xc0, 0xf4, 0x9a, |
7260 | + 0x1e, 0x67, 0x75, 0x33, 0xb6, 0xb8, }, |
7261 | + { 0x7f, 0x98, 0x4a, 0x8e, 0x50, 0xa2, 0x5c, 0xcd, 0x59, 0xde, 0x72, 0xb3, |
7262 | + 0x9d, 0xc3, 0x09, 0x8a, 0xab, 0x56, 0xf1, }, |
7263 | + { 0x80, 0x96, 0x49, 0x1a, 0x59, 0xa2, 0xc5, 0xd5, 0xa7, 0x20, 0x8a, 0xb7, |
7264 | + 0x27, 0x62, 0x84, 0x43, 0xc6, 0xe1, 0x1b, 0x5d, }, |
7265 | + { 0x6b, 0xb7, 0x2b, 0x26, 0x62, 0x14, 0x70, 0x19, 0x3d, 0x4d, 0xac, 0xac, |
7266 | + 0x63, 0x58, 0x5e, 0x94, 0xb5, 0xb7, 0xe8, 0xe8, 0xa2, }, |
7267 | + { 0x20, 0xa8, 0xc0, 0xfd, 0x63, 0x3d, 0x6e, 0x98, 0xcf, 0x0c, 0x49, 0x98, |
7268 | + 0xe4, 0x5a, 0xfe, 0x8c, 0xaa, 0x70, 0x82, 0x1c, 0x7b, 0x74, }, |
7269 | + { 0xc8, 0xe8, 0xdd, 0xdf, 0x69, 0x30, 0x01, 0xc2, 0x0f, 0x7e, 0x2f, 0x11, |
7270 | + 0xcc, 0x3e, 0x17, 0xa5, 0x69, 0x40, 0x3f, 0x0e, 0x79, 0x7f, 0xcf, }, |
7271 | + { 0xdb, 0x61, 0xc0, 0xe2, 0x2e, 0x49, 0x07, 0x31, 0x1d, 0x91, 0x42, 0x8a, |
7272 | + 0xfc, 0x5e, 0xd3, 0xf8, 0x56, 0x1f, 0x2b, 0x73, 0xfd, 0x9f, 0xb2, 0x8e, }, |
7273 | + { 0x0c, 0x89, 0x55, 0x0c, 0x1f, 0x59, 0x2c, 0x9d, 0x1b, 0x29, 0x1d, 0x41, |
7274 | + 0x1d, 0xe6, 0x47, 0x8f, 0x8c, 0x2b, 0xea, 0x8f, 0xf0, 0xff, 0x21, 0x70, |
7275 | + 0x88, }, |
7276 | + { 0x12, 0x18, 0x95, 0xa6, 0x59, 0xb1, 0x31, 0x24, 0x45, 0x67, 0x55, 0xa4, |
7277 | + 0x1a, 0x2d, 0x48, 0x67, 0x1b, 0x43, 0x88, 0x2d, 0x8e, 0xa0, 0x70, 0xb3, |
7278 | + 0xc6, 0xbb, }, |
7279 | + { 0xe7, 0xb1, 0x1d, 0xb2, 0x76, 0x4d, 0x68, 0x68, 0x68, 0x23, 0x02, 0x55, |
7280 | + 0x3a, 0xe2, 0xe5, 0xd5, 0x4b, 0x43, 0xf9, 0x34, 0x77, 0x5c, 0xa1, 0xf5, |
7281 | + 0x55, 0xfd, 0x4f, }, |
7282 | + { 0x8c, 0x87, 0x5a, 0x08, 0x3a, 0x73, 0xad, 0x61, 0xe1, 0xe7, 0x99, 0x7e, |
7283 | + 0xf0, 0x5d, 0xe9, 0x5d, 0x16, 0x43, 0x80, 0x2f, 0xd0, 0x66, 0x34, 0xe2, |
7284 | + 0x42, 0x64, 0x3b, 0x1a, }, |
7285 | + { 0x39, 0xc1, 0x99, 0xcf, 0x22, 0xbf, 0x16, 0x8f, 0x9f, 0x80, 0x7f, 0x95, |
7286 | + 0x0a, 0x05, 0x67, 0x27, 0xe7, 0x15, 0xdf, 0x9d, 0xb2, 0xfe, 0x1c, 0xb5, |
7287 | + 0x1d, 0x60, 0x8f, 0x8a, 0x1d, }, |
7288 | + { 0x9b, 0x6e, 0x08, 0x09, 0x06, 0x73, 0xab, 0x68, 0x02, 0x62, 0x1a, 0xe4, |
7289 | + 0xd4, 0xdf, 0xc7, 0x02, 0x4c, 0x6a, 0x5f, 0xfd, 0x23, 0xac, 0xae, 0x6d, |
7290 | + 0x43, 0xa4, 0x7a, 0x50, 0x60, 0x3c, }, |
7291 | + { 0x1d, 0xb4, 0xc6, 0xe1, 0xb1, 0x4b, 0xe3, 0xf2, 0xe2, 0x1a, 0x73, 0x1b, |
7292 | + 0xa0, 0x92, 0xa7, 0xf5, 0xff, 0x8f, 0x8b, 0x5d, 0xdf, 0xa8, 0x04, 0xb3, |
7293 | + 0xb0, 0xf7, 0xcc, 0x12, 0xfa, 0x35, 0x46, }, |
7294 | + { 0x49, 0x45, 0x97, 0x11, 0x0f, 0x1c, 0x60, 0x8e, 0xe8, 0x47, 0x30, 0xcf, |
7295 | + 0x60, 0xa8, 0x71, 0xc5, 0x1b, 0xe9, 0x39, 0x4d, 0x49, 0xb6, 0x12, 0x1f, |
7296 | + 0x24, 0xab, 0x37, 0xff, 0x83, 0xc2, 0xe1, 0x3a, }, |
7297 | + { 0x60, }, |
7298 | + { 0x24, 0x26, }, |
7299 | + { 0x47, 0xeb, 0xc9, }, |
7300 | + { 0x4a, 0xd0, 0xbc, 0xf0, }, |
7301 | + { 0x8e, 0x2b, 0xc9, 0x85, 0x3c, }, |
7302 | + { 0xa2, 0x07, 0x15, 0xb8, 0x12, 0x74, }, |
7303 | + { 0x0f, 0xdb, 0x5b, 0x33, 0x69, 0xfe, 0x4b, }, |
7304 | + { 0xa2, 0x86, 0x54, 0xf4, 0xfd, 0xb2, 0xd4, 0xe6, }, |
7305 | + { 0xbb, 0x84, 0x78, 0x49, 0x27, 0x8e, 0x61, 0xda, 0x60, }, |
7306 | + { 0x04, 0xc3, 0xcd, 0xaa, 0x8f, 0xa7, 0x03, 0xc9, 0xf9, 0xb6, }, |
7307 | + { 0xf8, 0x27, 0x1d, 0x61, 0xdc, 0x21, 0x42, 0xdd, 0xad, 0x92, 0x40, }, |
7308 | + { 0x12, 0x87, 0xdf, 0xc2, 0x41, 0x45, 0x5a, 0x36, 0x48, 0x5b, 0x51, 0x2b, }, |
7309 | + { 0xbb, 0x37, 0x5d, 0x1f, 0xf1, 0x68, 0x7a, 0xc4, 0xa5, 0xd2, 0xa4, 0x91, |
7310 | + 0x8d, }, |
7311 | + { 0x5b, 0x27, 0xd1, 0x04, 0x54, 0x52, 0x9f, 0xa3, 0x47, 0x86, 0x33, 0x33, |
7312 | + 0xbf, 0xa0, }, |
7313 | + { 0xcf, 0x04, 0xea, 0xf8, 0x03, 0x2a, 0x43, 0xff, 0xa6, 0x68, 0x21, 0x4c, |
7314 | + 0xd5, 0x4b, 0xed, }, |
7315 | + { 0xaf, 0xb8, 0xbc, 0x63, 0x0f, 0x18, 0x4d, 0xe2, 0x7a, 0xdd, 0x46, 0x44, |
7316 | + 0xc8, 0x24, 0x0a, 0xb7, }, |
7317 | + { 0x3e, 0xdc, 0x36, 0xe4, 0x89, 0xb1, 0xfa, 0xc6, 0x40, 0x93, 0x2e, 0x75, |
7318 | + 0xb2, 0x15, 0xd1, 0xb1, 0x10, }, |
7319 | + { 0x6c, 0xd8, 0x20, 0x3b, 0x82, 0x79, 0xf9, 0xc8, 0xbc, 0x9d, 0xe0, 0x35, |
7320 | + 0xbe, 0x1b, 0x49, 0x1a, 0xbc, 0x3a, }, |
7321 | + { 0x78, 0x65, 0x2c, 0xbe, 0x35, 0x67, 0xdc, 0x78, 0xd4, 0x41, 0xf6, 0xc9, |
7322 | + 0xde, 0xde, 0x1f, 0x18, 0x13, 0x31, 0x11, }, |
7323 | + { 0x8a, 0x7f, 0xb1, 0x33, 0x8f, 0x0c, 0x3c, 0x0a, 0x06, 0x61, 0xf0, 0x47, |
7324 | + 0x29, 0x1b, 0x29, 0xbc, 0x1c, 0x47, 0xef, 0x7a, }, |
7325 | + { 0x65, 0x91, 0xf1, 0xe6, 0xb3, 0x96, 0xd3, 0x8c, 0xc2, 0x4a, 0x59, 0x35, |
7326 | + 0x72, 0x8e, 0x0b, 0x9a, 0x87, 0xca, 0x34, 0x7b, 0x63, }, |
7327 | + { 0x5f, 0x08, 0x87, 0x80, 0x56, 0x25, 0x89, 0x77, 0x61, 0x8c, 0x64, 0xa1, |
7328 | + 0x59, 0x6d, 0x59, 0x62, 0xe8, 0x4a, 0xc8, 0x58, 0x99, 0xd1, }, |
7329 | + { 0x23, 0x87, 0x1d, 0xed, 0x6f, 0xf2, 0x91, 0x90, 0xe2, 0xfe, 0x43, 0x21, |
7330 | + 0xaf, 0x97, 0xc6, 0xbc, 0xd7, 0x15, 0xc7, 0x2d, 0x08, 0x77, 0x91, }, |
7331 | + { 0x90, 0x47, 0x9a, 0x9e, 0x3a, 0xdf, 0xf3, 0xc9, 0x4c, 0x1e, 0xa7, 0xd4, |
7332 | + 0x6a, 0x32, 0x90, 0xfe, 0xb7, 0xb6, 0x7b, 0xfa, 0x96, 0x61, 0xfb, 0xa4, }, |
7333 | + { 0xb1, 0x67, 0x60, 0x45, 0xb0, 0x96, 0xc5, 0x15, 0x9f, 0x4d, 0x26, 0xd7, |
7334 | + 0x9d, 0xf1, 0xf5, 0x6d, 0x21, 0x00, 0x94, 0x31, 0x64, 0x94, 0xd3, 0xa7, |
7335 | + 0xd3, }, |
7336 | + { 0x02, 0x3e, 0xaf, 0xf3, 0x79, 0x73, 0xa5, 0xf5, 0xcc, 0x7a, 0x7f, 0xfb, |
7337 | + 0x79, 0x2b, 0x85, 0x8c, 0x88, 0x72, 0x06, 0xbe, 0xfe, 0xaf, 0xc1, 0x16, |
7338 | + 0xa6, 0xd6, }, |
7339 | + { 0x2a, 0xb0, 0x1a, 0xe5, 0xaa, 0x6e, 0xb3, 0xae, 0x53, 0x85, 0x33, 0x80, |
7340 | + 0x75, 0xae, 0x30, 0xe6, 0xb8, 0x72, 0x42, 0xf6, 0x25, 0x4f, 0x38, 0x88, |
7341 | + 0x55, 0xd1, 0xa9, }, |
7342 | + { 0x90, 0xd8, 0x0c, 0xc0, 0x93, 0x4b, 0x4f, 0x9e, 0x65, 0x6c, 0xa1, 0x54, |
7343 | + 0xa6, 0xf6, 0x6e, 0xca, 0xd2, 0xbb, 0x7e, 0x6a, 0x1c, 0xd3, 0xce, 0x46, |
7344 | + 0xef, 0xb0, 0x00, 0x8d, }, |
7345 | + { 0xed, 0x9c, 0x49, 0xcd, 0xc2, 0xde, 0x38, 0x0e, 0xe9, 0x98, 0x6c, 0xc8, |
7346 | + 0x90, 0x9e, 0x3c, 0xd4, 0xd3, 0xeb, 0x88, 0x32, 0xc7, 0x28, 0xe3, 0x94, |
7347 | + 0x1c, 0x9f, 0x8b, 0xf3, 0xcb, }, |
7348 | + { 0xac, 0xe7, 0x92, 0x16, 0xb4, 0x14, 0xa0, 0xe4, 0x04, 0x79, 0xa2, 0xf4, |
7349 | + 0x31, 0xe6, 0x0c, 0x26, 0xdc, 0xbf, 0x2f, 0x69, 0x1b, 0x55, 0x94, 0x67, |
7350 | + 0xda, 0x0c, 0xd7, 0x32, 0x1f, 0xef, }, |
7351 | + { 0x68, 0x63, 0x85, 0x57, 0x95, 0x9e, 0x42, 0x27, 0x41, 0x43, 0x42, 0x02, |
7352 | + 0xa5, 0x78, 0xa7, 0xc6, 0x43, 0xc1, 0x6a, 0xba, 0x70, 0x80, 0xcd, 0x04, |
7353 | + 0xb6, 0x78, 0x76, 0x29, 0xf3, 0xe8, 0xa0, }, |
7354 | + { 0xe6, 0xac, 0x8d, 0x9d, 0xf0, 0xc0, 0xf7, 0xf7, 0xe3, 0x3e, 0x4e, 0x28, |
7355 | + 0x0f, 0x59, 0xb2, 0x67, 0x9e, 0x84, 0x34, 0x42, 0x96, 0x30, 0x2b, 0xca, |
7356 | + 0x49, 0xb6, 0xc5, 0x9a, 0x84, 0x59, 0xa7, 0x81, }, |
7357 | + { 0x7e, }, |
7358 | + { 0x1e, 0x21, }, |
7359 | + { 0x26, 0xd3, 0xdd, }, |
7360 | + { 0x2c, 0xd4, 0xb3, 0x3d, }, |
7361 | + { 0x86, 0x7b, 0x76, 0x3c, 0xf0, }, |
7362 | + { 0x12, 0xc3, 0x70, 0x1d, 0x55, 0x18, }, |
7363 | + { 0x96, 0xc2, 0xbd, 0x61, 0x55, 0xf4, 0x24, }, |
7364 | + { 0x20, 0x51, 0xf7, 0x86, 0x58, 0x8f, 0x07, 0x2a, }, |
7365 | + { 0x93, 0x15, 0xa8, 0x1d, 0xda, 0x97, 0xee, 0x0e, 0x6c, }, |
7366 | + { 0x39, 0x93, 0xdf, 0xd5, 0x0e, 0xca, 0xdc, 0x7a, 0x92, 0xce, }, |
7367 | + { 0x60, 0xd5, 0xfd, 0xf5, 0x1b, 0x26, 0x82, 0x26, 0x73, 0x02, 0xbc, }, |
7368 | + { 0x98, 0xf2, 0x34, 0xe1, 0xf5, 0xfb, 0x00, 0xac, 0x10, 0x4a, 0x38, 0x9f, }, |
7369 | + { 0xda, 0x3a, 0x92, 0x8a, 0xd0, 0xcd, 0x12, 0xcd, 0x15, 0xbb, 0xab, 0x77, |
7370 | + 0x66, }, |
7371 | + { 0xa2, 0x92, 0x1a, 0xe5, 0xca, 0x0c, 0x30, 0x75, 0xeb, 0xaf, 0x00, 0x31, |
7372 | + 0x55, 0x66, }, |
7373 | + { 0x06, 0xea, 0xfd, 0x3e, 0x86, 0x38, 0x62, 0x4e, 0xa9, 0x12, 0xa4, 0x12, |
7374 | + 0x43, 0xbf, 0xa1, }, |
7375 | + { 0xe4, 0x71, 0x7b, 0x94, 0xdb, 0xa0, 0xd2, 0xff, 0x9b, 0xeb, 0xad, 0x8e, |
7376 | + 0x95, 0x8a, 0xc5, 0xed, }, |
7377 | + { 0x25, 0x5a, 0x77, 0x71, 0x41, 0x0e, 0x7a, 0xe9, 0xed, 0x0c, 0x10, 0xef, |
7378 | + 0xf6, 0x2b, 0x3a, 0xba, 0x60, }, |
7379 | + { 0xee, 0xe2, 0xa3, 0x67, 0x64, 0x1d, 0xc6, 0x04, 0xc4, 0xe1, 0x68, 0xd2, |
7380 | + 0x6e, 0xd2, 0x91, 0x75, 0x53, 0x07, }, |
7381 | + { 0xe0, 0xf6, 0x4d, 0x8f, 0x68, 0xfc, 0x06, 0x7e, 0x18, 0x79, 0x7f, 0x2b, |
7382 | + 0x6d, 0xef, 0x46, 0x7f, 0xab, 0xb2, 0xad, }, |
7383 | + { 0x3d, 0x35, 0x88, 0x9f, 0x2e, 0xcf, 0x96, 0x45, 0x07, 0x60, 0x71, 0x94, |
7384 | + 0x00, 0x8d, 0xbf, 0xf4, 0xef, 0x46, 0x2e, 0x3c, }, |
7385 | + { 0x43, 0xcf, 0x98, 0xf7, 0x2d, 0xf4, 0x17, 0xe7, 0x8c, 0x05, 0x2d, 0x9b, |
7386 | + 0x24, 0xfb, 0x4d, 0xea, 0x4a, 0xec, 0x01, 0x25, 0x29, }, |
7387 | + { 0x8e, 0x73, 0x9a, 0x78, 0x11, 0xfe, 0x48, 0xa0, 0x3b, 0x1a, 0x26, 0xdf, |
7388 | + 0x25, 0xe9, 0x59, 0x1c, 0x70, 0x07, 0x9f, 0xdc, 0xa0, 0xa6, }, |
7389 | + { 0xe8, 0x47, 0x71, 0xc7, 0x3e, 0xdf, 0xb5, 0x13, 0xb9, 0x85, 0x13, 0xa8, |
7390 | + 0x54, 0x47, 0x6e, 0x59, 0x96, 0x09, 0x13, 0x5f, 0x82, 0x16, 0x0b, }, |
7391 | + { 0xfb, 0xc0, 0x8c, 0x03, 0x21, 0xb3, 0xc4, 0xb5, 0x43, 0x32, 0x6c, 0xea, |
7392 | + 0x7f, 0xa8, 0x43, 0x91, 0xe8, 0x4e, 0x3f, 0xbf, 0x45, 0x58, 0x6a, 0xa3, }, |
7393 | + { 0x55, 0xf8, 0xf3, 0x00, 0x76, 0x09, 0xef, 0x69, 0x5d, 0xd2, 0x8a, 0xf2, |
7394 | + 0x65, 0xc3, 0xcb, 0x9b, 0x43, 0xfd, 0xb1, 0x7e, 0x7f, 0xa1, 0x94, 0xb0, |
7395 | + 0xd7, }, |
7396 | + { 0xaa, 0x13, 0xc1, 0x51, 0x40, 0x6d, 0x8d, 0x4c, 0x0a, 0x95, 0x64, 0x7b, |
7397 | + 0xd1, 0x96, 0xb6, 0x56, 0xb4, 0x5b, 0xcf, 0xd6, 0xd9, 0x15, 0x97, 0xdd, |
7398 | + 0xb6, 0xef, }, |
7399 | + { 0xaf, 0xb7, 0x36, 0xb0, 0x04, 0xdb, 0xd7, 0x9c, 0x9a, 0x44, 0xc4, 0xf6, |
7400 | + 0x1f, 0x12, 0x21, 0x2d, 0x59, 0x30, 0x54, 0xab, 0x27, 0x61, 0xa3, 0x57, |
7401 | + 0xef, 0xf8, 0x53, }, |
7402 | + { 0x97, 0x34, 0x45, 0x3e, 0xce, 0x7c, 0x35, 0xa2, 0xda, 0x9f, 0x4b, 0x46, |
7403 | + 0x6c, 0x11, 0x67, 0xff, 0x2f, 0x76, 0x58, 0x15, 0x71, 0xfa, 0x44, 0x89, |
7404 | + 0x89, 0xfd, 0xf7, 0x99, }, |
7405 | + { 0x1f, 0xb1, 0x62, 0xeb, 0x83, 0xc5, 0x9c, 0x89, 0xf9, 0x2c, 0xd2, 0x03, |
7406 | + 0x61, 0xbc, 0xbb, 0xa5, 0x74, 0x0e, 0x9b, 0x7e, 0x82, 0x3e, 0x70, 0x0a, |
7407 | + 0xa9, 0x8f, 0x2b, 0x59, 0xfb, }, |
7408 | + { 0xf8, 0xca, 0x5e, 0x3a, 0x4f, 0x9e, 0x10, 0x69, 0x10, 0xd5, 0x4c, 0xeb, |
7409 | + 0x1a, 0x0f, 0x3c, 0x6a, 0x98, 0xf5, 0xb0, 0x97, 0x5b, 0x37, 0x2f, 0x0d, |
7410 | + 0xbd, 0x42, 0x4b, 0x69, 0xa1, 0x82, }, |
7411 | + { 0x12, 0x8c, 0x6d, 0x52, 0x08, 0xef, 0x74, 0xb2, 0xe6, 0xaa, 0xd3, 0xb0, |
7412 | + 0x26, 0xb0, 0xd9, 0x94, 0xb6, 0x11, 0x45, 0x0e, 0x36, 0x71, 0x14, 0x2d, |
7413 | + 0x41, 0x8c, 0x21, 0x53, 0x31, 0xe9, 0x68, }, |
7414 | + { 0xee, 0xea, 0x0d, 0x89, 0x47, 0x7e, 0x72, 0xd1, 0xd8, 0xce, 0x58, 0x4c, |
7415 | + 0x94, 0x1f, 0x0d, 0x51, 0x08, 0xa3, 0xb6, 0x3d, 0xe7, 0x82, 0x46, 0x92, |
7416 | + 0xd6, 0x98, 0x6b, 0x07, 0x10, 0x65, 0x52, 0x65, }, |
7417 | +}; |
7418 | + |
7419 | +bool __init blake2s_selftest(void) |
7420 | +{ |
7421 | + u8 key[BLAKE2S_KEY_SIZE]; |
7422 | + u8 buf[ARRAY_SIZE(blake2s_testvecs)]; |
7423 | + u8 hash[BLAKE2S_HASH_SIZE]; |
7424 | + struct blake2s_state state; |
7425 | + bool success = true; |
7426 | + int i, l; |
7427 | + |
7428 | + key[0] = key[1] = 1; |
7429 | + for (i = 2; i < sizeof(key); ++i) |
7430 | + key[i] = key[i - 2] + key[i - 1]; |
7431 | + |
7432 | + for (i = 0; i < sizeof(buf); ++i) |
7433 | + buf[i] = (u8)i; |
7434 | + |
7435 | + for (i = l = 0; i < ARRAY_SIZE(blake2s_testvecs); l = (l + 37) % ++i) { |
7436 | + int outlen = 1 + i % BLAKE2S_HASH_SIZE; |
7437 | + int keylen = (13 * i) % (BLAKE2S_KEY_SIZE + 1); |
7438 | + |
7439 | + blake2s(hash, buf, key + BLAKE2S_KEY_SIZE - keylen, outlen, i, |
7440 | + keylen); |
7441 | + if (memcmp(hash, blake2s_testvecs[i], outlen)) { |
7442 | + pr_err("blake2s self-test %d: FAIL\n", i + 1); |
7443 | + success = false; |
7444 | + } |
7445 | + |
7446 | + if (!keylen) |
7447 | + blake2s_init(&state, outlen); |
7448 | + else |
7449 | + blake2s_init_key(&state, outlen, |
7450 | + key + BLAKE2S_KEY_SIZE - keylen, |
7451 | + keylen); |
7452 | + |
7453 | + blake2s_update(&state, buf, l); |
7454 | + blake2s_update(&state, buf + l, i - l); |
7455 | + blake2s_final(&state, hash); |
7456 | + if (memcmp(hash, blake2s_testvecs[i], outlen)) { |
7457 | + pr_err("blake2s init/update/final self-test %d: FAIL\n", |
7458 | + i + 1); |
7459 | + success = false; |
7460 | + } |
7461 | + } |
7462 | + |
7463 | + return success; |
7464 | +} |
7465 | diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c |
7466 | new file mode 100644 |
7467 | index 0000000000000..536fce87555b3 |
7468 | --- /dev/null |
7469 | +++ b/lib/crypto/blake2s.c |
7470 | @@ -0,0 +1,78 @@ |
7471 | +// SPDX-License-Identifier: GPL-2.0 OR MIT |
7472 | +/* |
7473 | + * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. |
7474 | + * |
7475 | + * This is an implementation of the BLAKE2s hash and PRF functions. |
7476 | + * |
7477 | + * Information: https://blake2.net/ |
7478 | + * |
7479 | + */ |
7480 | + |
7481 | +#include <crypto/internal/blake2s.h> |
7482 | +#include <linux/types.h> |
7483 | +#include <linux/string.h> |
7484 | +#include <linux/kernel.h> |
7485 | +#include <linux/module.h> |
7486 | +#include <linux/init.h> |
7487 | +#include <linux/bug.h> |
7488 | +#include <asm/unaligned.h> |
7489 | + |
7490 | +bool blake2s_selftest(void); |
7491 | + |
7492 | +void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen) |
7493 | +{ |
7494 | + const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen; |
7495 | + |
7496 | + if (unlikely(!inlen)) |
7497 | + return; |
7498 | + if (inlen > fill) { |
7499 | + memcpy(state->buf + state->buflen, in, fill); |
7500 | + blake2s_compress_generic(state, state->buf, 1, |
7501 | + BLAKE2S_BLOCK_SIZE); |
7502 | + state->buflen = 0; |
7503 | + in += fill; |
7504 | + inlen -= fill; |
7505 | + } |
7506 | + if (inlen > BLAKE2S_BLOCK_SIZE) { |
7507 | + const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE); |
7508 | + /* Hash one less (full) block than strictly possible */ |
7509 | + blake2s_compress_generic(state, in, nblocks - 1, |
7510 | + BLAKE2S_BLOCK_SIZE); |
7511 | + in += BLAKE2S_BLOCK_SIZE * (nblocks - 1); |
7512 | + inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1); |
7513 | + } |
7514 | + memcpy(state->buf + state->buflen, in, inlen); |
7515 | + state->buflen += inlen; |
7516 | +} |
7517 | +EXPORT_SYMBOL(blake2s_update); |
7518 | + |
7519 | +void blake2s_final(struct blake2s_state *state, u8 *out) |
7520 | +{ |
7521 | + WARN_ON(IS_ENABLED(DEBUG) && !out); |
7522 | + blake2s_set_lastblock(state); |
7523 | + memset(state->buf + state->buflen, 0, |
7524 | + BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */ |
7525 | + blake2s_compress_generic(state, state->buf, 1, state->buflen); |
7526 | + cpu_to_le32_array(state->h, ARRAY_SIZE(state->h)); |
7527 | + memcpy(out, state->h, state->outlen); |
7528 | + memzero_explicit(state, sizeof(*state)); |
7529 | +} |
7530 | +EXPORT_SYMBOL(blake2s_final); |
7531 | + |
7532 | +static int __init mod_init(void) |
7533 | +{ |
7534 | + if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) && |
7535 | + WARN_ON(!blake2s_selftest())) |
7536 | + return -ENODEV; |
7537 | + return 0; |
7538 | +} |
7539 | + |
7540 | +static void __exit mod_exit(void) |
7541 | +{ |
7542 | +} |
7543 | + |
7544 | +module_init(mod_init); |
7545 | +module_exit(mod_exit); |
7546 | +MODULE_LICENSE("GPL v2"); |
7547 | +MODULE_DESCRIPTION("BLAKE2s hash function"); |
7548 | +MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>"); |
7549 | diff --git a/lib/random32.c b/lib/random32.c |
7550 | index 9085b1172015e..339624191b515 100644 |
7551 | --- a/lib/random32.c |
7552 | +++ b/lib/random32.c |
7553 | @@ -38,6 +38,9 @@ |
7554 | #include <linux/jiffies.h> |
7555 | #include <linux/random.h> |
7556 | #include <linux/sched.h> |
7557 | +#include <linux/bitops.h> |
7558 | +#include <linux/slab.h> |
7559 | +#include <linux/notifier.h> |
7560 | #include <asm/unaligned.h> |
7561 | |
7562 | /** |
7563 | @@ -544,9 +547,11 @@ static void prandom_reseed(struct timer_list *unused) |
7564 | * To avoid worrying about whether it's safe to delay that interrupt |
7565 | * long enough to seed all CPUs, just schedule an immediate timer event. |
7566 | */ |
7567 | -static void prandom_timer_start(struct random_ready_callback *unused) |
7568 | +static int prandom_timer_start(struct notifier_block *nb, |
7569 | + unsigned long action, void *data) |
7570 | { |
7571 | mod_timer(&seed_timer, jiffies); |
7572 | + return 0; |
7573 | } |
7574 | |
7575 | /* |
7576 | @@ -555,13 +560,13 @@ static void prandom_timer_start(struct random_ready_callback *unused) |
7577 | */ |
7578 | static int __init prandom_init_late(void) |
7579 | { |
7580 | - static struct random_ready_callback random_ready = { |
7581 | - .func = prandom_timer_start |
7582 | + static struct notifier_block random_ready = { |
7583 | + .notifier_call = prandom_timer_start |
7584 | }; |
7585 | - int ret = add_random_ready_callback(&random_ready); |
7586 | + int ret = register_random_ready_notifier(&random_ready); |
7587 | |
7588 | if (ret == -EALREADY) { |
7589 | - prandom_timer_start(&random_ready); |
7590 | + prandom_timer_start(&random_ready, 0, NULL); |
7591 | ret = 0; |
7592 | } |
7593 | return ret; |
7594 | diff --git a/lib/sha1.c b/lib/sha1.c |
7595 | index 1d96d2c02b826..bad46695476bd 100644 |
7596 | --- a/lib/sha1.c |
7597 | +++ b/lib/sha1.c |
7598 | @@ -10,6 +10,7 @@ |
7599 | #include <linux/export.h> |
7600 | #include <linux/bitops.h> |
7601 | #include <linux/cryptohash.h> |
7602 | +#include <linux/string.h> |
7603 | #include <asm/unaligned.h> |
7604 | |
7605 | /* |
7606 | @@ -55,7 +56,8 @@ |
7607 | #define SHA_ROUND(t, input, fn, constant, A, B, C, D, E) do { \ |
7608 | __u32 TEMP = input(t); setW(t, TEMP); \ |
7609 | E += TEMP + rol32(A,5) + (fn) + (constant); \ |
7610 | - B = ror32(B, 2); } while (0) |
7611 | + B = ror32(B, 2); \ |
7612 | + TEMP = E; E = D; D = C; C = B; B = A; A = TEMP; } while (0) |
7613 | |
7614 | #define T_0_15(t, A, B, C, D, E) SHA_ROUND(t, SHA_SRC, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E ) |
7615 | #define T_16_19(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E ) |
7616 | @@ -82,6 +84,7 @@ |
7617 | void sha_transform(__u32 *digest, const char *data, __u32 *array) |
7618 | { |
7619 | __u32 A, B, C, D, E; |
7620 | + unsigned int i = 0; |
7621 | |
7622 | A = digest[0]; |
7623 | B = digest[1]; |
7624 | @@ -90,94 +93,24 @@ void sha_transform(__u32 *digest, const char *data, __u32 *array) |
7625 | E = digest[4]; |
7626 | |
7627 | /* Round 1 - iterations 0-16 take their input from 'data' */ |
7628 | - T_0_15( 0, A, B, C, D, E); |
7629 | - T_0_15( 1, E, A, B, C, D); |
7630 | - T_0_15( 2, D, E, A, B, C); |
7631 | - T_0_15( 3, C, D, E, A, B); |
7632 | - T_0_15( 4, B, C, D, E, A); |
7633 | - T_0_15( 5, A, B, C, D, E); |
7634 | - T_0_15( 6, E, A, B, C, D); |
7635 | - T_0_15( 7, D, E, A, B, C); |
7636 | - T_0_15( 8, C, D, E, A, B); |
7637 | - T_0_15( 9, B, C, D, E, A); |
7638 | - T_0_15(10, A, B, C, D, E); |
7639 | - T_0_15(11, E, A, B, C, D); |
7640 | - T_0_15(12, D, E, A, B, C); |
7641 | - T_0_15(13, C, D, E, A, B); |
7642 | - T_0_15(14, B, C, D, E, A); |
7643 | - T_0_15(15, A, B, C, D, E); |
7644 | + for (; i < 16; ++i) |
7645 | + T_0_15(i, A, B, C, D, E); |
7646 | |
7647 | /* Round 1 - tail. Input from 512-bit mixing array */ |
7648 | - T_16_19(16, E, A, B, C, D); |
7649 | - T_16_19(17, D, E, A, B, C); |
7650 | - T_16_19(18, C, D, E, A, B); |
7651 | - T_16_19(19, B, C, D, E, A); |
7652 | + for (; i < 20; ++i) |
7653 | + T_16_19(i, A, B, C, D, E); |
7654 | |
7655 | /* Round 2 */ |
7656 | - T_20_39(20, A, B, C, D, E); |
7657 | - T_20_39(21, E, A, B, C, D); |
7658 | - T_20_39(22, D, E, A, B, C); |
7659 | - T_20_39(23, C, D, E, A, B); |
7660 | - T_20_39(24, B, C, D, E, A); |
7661 | - T_20_39(25, A, B, C, D, E); |
7662 | - T_20_39(26, E, A, B, C, D); |
7663 | - T_20_39(27, D, E, A, B, C); |
7664 | - T_20_39(28, C, D, E, A, B); |
7665 | - T_20_39(29, B, C, D, E, A); |
7666 | - T_20_39(30, A, B, C, D, E); |
7667 | - T_20_39(31, E, A, B, C, D); |
7668 | - T_20_39(32, D, E, A, B, C); |
7669 | - T_20_39(33, C, D, E, A, B); |
7670 | - T_20_39(34, B, C, D, E, A); |
7671 | - T_20_39(35, A, B, C, D, E); |
7672 | - T_20_39(36, E, A, B, C, D); |
7673 | - T_20_39(37, D, E, A, B, C); |
7674 | - T_20_39(38, C, D, E, A, B); |
7675 | - T_20_39(39, B, C, D, E, A); |
7676 | + for (; i < 40; ++i) |
7677 | + T_20_39(i, A, B, C, D, E); |
7678 | |
7679 | /* Round 3 */ |
7680 | - T_40_59(40, A, B, C, D, E); |
7681 | - T_40_59(41, E, A, B, C, D); |
7682 | - T_40_59(42, D, E, A, B, C); |
7683 | - T_40_59(43, C, D, E, A, B); |
7684 | - T_40_59(44, B, C, D, E, A); |
7685 | - T_40_59(45, A, B, C, D, E); |
7686 | - T_40_59(46, E, A, B, C, D); |
7687 | - T_40_59(47, D, E, A, B, C); |
7688 | - T_40_59(48, C, D, E, A, B); |
7689 | - T_40_59(49, B, C, D, E, A); |
7690 | - T_40_59(50, A, B, C, D, E); |
7691 | - T_40_59(51, E, A, B, C, D); |
7692 | - T_40_59(52, D, E, A, B, C); |
7693 | - T_40_59(53, C, D, E, A, B); |
7694 | - T_40_59(54, B, C, D, E, A); |
7695 | - T_40_59(55, A, B, C, D, E); |
7696 | - T_40_59(56, E, A, B, C, D); |
7697 | - T_40_59(57, D, E, A, B, C); |
7698 | - T_40_59(58, C, D, E, A, B); |
7699 | - T_40_59(59, B, C, D, E, A); |
7700 | + for (; i < 60; ++i) |
7701 | + T_40_59(i, A, B, C, D, E); |
7702 | |
7703 | /* Round 4 */ |
7704 | - T_60_79(60, A, B, C, D, E); |
7705 | - T_60_79(61, E, A, B, C, D); |
7706 | - T_60_79(62, D, E, A, B, C); |
7707 | - T_60_79(63, C, D, E, A, B); |
7708 | - T_60_79(64, B, C, D, E, A); |
7709 | - T_60_79(65, A, B, C, D, E); |
7710 | - T_60_79(66, E, A, B, C, D); |
7711 | - T_60_79(67, D, E, A, B, C); |
7712 | - T_60_79(68, C, D, E, A, B); |
7713 | - T_60_79(69, B, C, D, E, A); |
7714 | - T_60_79(70, A, B, C, D, E); |
7715 | - T_60_79(71, E, A, B, C, D); |
7716 | - T_60_79(72, D, E, A, B, C); |
7717 | - T_60_79(73, C, D, E, A, B); |
7718 | - T_60_79(74, B, C, D, E, A); |
7719 | - T_60_79(75, A, B, C, D, E); |
7720 | - T_60_79(76, E, A, B, C, D); |
7721 | - T_60_79(77, D, E, A, B, C); |
7722 | - T_60_79(78, C, D, E, A, B); |
7723 | - T_60_79(79, B, C, D, E, A); |
7724 | + for (; i < 80; ++i) |
7725 | + T_60_79(i, A, B, C, D, E); |
7726 | |
7727 | digest[0] += A; |
7728 | digest[1] += B; |
7729 | diff --git a/lib/siphash.c b/lib/siphash.c |
7730 | index 025f0cbf6d7a7..b4055b1cc2f67 100644 |
7731 | --- a/lib/siphash.c |
7732 | +++ b/lib/siphash.c |
7733 | @@ -18,19 +18,13 @@ |
7734 | #include <asm/word-at-a-time.h> |
7735 | #endif |
7736 | |
7737 | -#define SIPROUND \ |
7738 | - do { \ |
7739 | - v0 += v1; v1 = rol64(v1, 13); v1 ^= v0; v0 = rol64(v0, 32); \ |
7740 | - v2 += v3; v3 = rol64(v3, 16); v3 ^= v2; \ |
7741 | - v0 += v3; v3 = rol64(v3, 21); v3 ^= v0; \ |
7742 | - v2 += v1; v1 = rol64(v1, 17); v1 ^= v2; v2 = rol64(v2, 32); \ |
7743 | - } while (0) |
7744 | +#define SIPROUND SIPHASH_PERMUTATION(v0, v1, v2, v3) |
7745 | |
7746 | #define PREAMBLE(len) \ |
7747 | - u64 v0 = 0x736f6d6570736575ULL; \ |
7748 | - u64 v1 = 0x646f72616e646f6dULL; \ |
7749 | - u64 v2 = 0x6c7967656e657261ULL; \ |
7750 | - u64 v3 = 0x7465646279746573ULL; \ |
7751 | + u64 v0 = SIPHASH_CONST_0; \ |
7752 | + u64 v1 = SIPHASH_CONST_1; \ |
7753 | + u64 v2 = SIPHASH_CONST_2; \ |
7754 | + u64 v3 = SIPHASH_CONST_3; \ |
7755 | u64 b = ((u64)(len)) << 56; \ |
7756 | v3 ^= key->key[1]; \ |
7757 | v2 ^= key->key[0]; \ |
7758 | @@ -389,19 +383,13 @@ u32 hsiphash_4u32(const u32 first, const u32 second, const u32 third, |
7759 | } |
7760 | EXPORT_SYMBOL(hsiphash_4u32); |
7761 | #else |
7762 | -#define HSIPROUND \ |
7763 | - do { \ |
7764 | - v0 += v1; v1 = rol32(v1, 5); v1 ^= v0; v0 = rol32(v0, 16); \ |
7765 | - v2 += v3; v3 = rol32(v3, 8); v3 ^= v2; \ |
7766 | - v0 += v3; v3 = rol32(v3, 7); v3 ^= v0; \ |
7767 | - v2 += v1; v1 = rol32(v1, 13); v1 ^= v2; v2 = rol32(v2, 16); \ |
7768 | - } while (0) |
7769 | +#define HSIPROUND HSIPHASH_PERMUTATION(v0, v1, v2, v3) |
7770 | |
7771 | #define HPREAMBLE(len) \ |
7772 | - u32 v0 = 0; \ |
7773 | - u32 v1 = 0; \ |
7774 | - u32 v2 = 0x6c796765U; \ |
7775 | - u32 v3 = 0x74656462U; \ |
7776 | + u32 v0 = HSIPHASH_CONST_0; \ |
7777 | + u32 v1 = HSIPHASH_CONST_1; \ |
7778 | + u32 v2 = HSIPHASH_CONST_2; \ |
7779 | + u32 v3 = HSIPHASH_CONST_3; \ |
7780 | u32 b = ((u32)(len)) << 24; \ |
7781 | v3 ^= key->key[1]; \ |
7782 | v2 ^= key->key[0]; \ |
7783 | diff --git a/lib/vsprintf.c b/lib/vsprintf.c |
7784 | index 2766d1b2c301d..393623bf3258f 100644 |
7785 | --- a/lib/vsprintf.c |
7786 | +++ b/lib/vsprintf.c |
7787 | @@ -731,14 +731,16 @@ static void enable_ptr_key_workfn(struct work_struct *work) |
7788 | |
7789 | static DECLARE_WORK(enable_ptr_key_work, enable_ptr_key_workfn); |
7790 | |
7791 | -static void fill_random_ptr_key(struct random_ready_callback *unused) |
7792 | +static int fill_random_ptr_key(struct notifier_block *nb, |
7793 | + unsigned long action, void *data) |
7794 | { |
7795 | /* This may be in an interrupt handler. */ |
7796 | queue_work(system_unbound_wq, &enable_ptr_key_work); |
7797 | + return 0; |
7798 | } |
7799 | |
7800 | -static struct random_ready_callback random_ready = { |
7801 | - .func = fill_random_ptr_key |
7802 | +static struct notifier_block random_ready = { |
7803 | + .notifier_call = fill_random_ptr_key |
7804 | }; |
7805 | |
7806 | static int __init initialize_ptr_random(void) |
7807 | @@ -752,7 +754,7 @@ static int __init initialize_ptr_random(void) |
7808 | return 0; |
7809 | } |
7810 | |
7811 | - ret = add_random_ready_callback(&random_ready); |
7812 | + ret = register_random_ready_notifier(&random_ready); |
7813 | if (!ret) { |
7814 | return 0; |
7815 | } else if (ret == -EALREADY) { |
7816 | diff --git a/mm/util.c b/mm/util.c |
7817 | index ab358c64bbd3e..04ebc76588aac 100644 |
7818 | --- a/mm/util.c |
7819 | +++ b/mm/util.c |
7820 | @@ -320,6 +320,38 @@ unsigned long randomize_stack_top(unsigned long stack_top) |
7821 | #endif |
7822 | } |
7823 | |
7824 | +/** |
7825 | + * randomize_page - Generate a random, page aligned address |
7826 | + * @start: The smallest acceptable address the caller will take. |
7827 | + * @range: The size of the area, starting at @start, within which the |
7828 | + * random address must fall. |
7829 | + * |
7830 | + * If @start + @range would overflow, @range is capped. |
7831 | + * |
7832 | + * NOTE: Historical use of randomize_range, which this replaces, presumed that |
7833 | + * @start was already page aligned. We now align it regardless. |
7834 | + * |
7835 | + * Return: A page aligned address within [start, start + range). On error, |
7836 | + * @start is returned. |
7837 | + */ |
7838 | +unsigned long randomize_page(unsigned long start, unsigned long range) |
7839 | +{ |
7840 | + if (!PAGE_ALIGNED(start)) { |
7841 | + range -= PAGE_ALIGN(start) - start; |
7842 | + start = PAGE_ALIGN(start); |
7843 | + } |
7844 | + |
7845 | + if (start > ULONG_MAX - range) |
7846 | + range = ULONG_MAX - start; |
7847 | + |
7848 | + range >>= PAGE_SHIFT; |
7849 | + |
7850 | + if (range == 0) |
7851 | + return start; |
7852 | + |
7853 | + return start + (get_random_long() % range << PAGE_SHIFT); |
7854 | +} |
7855 | + |
7856 | #ifdef CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT |
7857 | unsigned long arch_randomize_brk(struct mm_struct *mm) |
7858 | { |
7859 | diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c |
7860 | index 0fa694bd3f6a9..23e9ce985ed6a 100644 |
7861 | --- a/net/l2tp/l2tp_ip6.c |
7862 | +++ b/net/l2tp/l2tp_ip6.c |
7863 | @@ -515,14 +515,15 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) |
7864 | struct ipcm6_cookie ipc6; |
7865 | int addr_len = msg->msg_namelen; |
7866 | int transhdrlen = 4; /* zero session-id */ |
7867 | - int ulen = len + transhdrlen; |
7868 | + int ulen; |
7869 | int err; |
7870 | |
7871 | /* Rough check on arithmetic overflow, |
7872 | better check is made in ip6_append_data(). |
7873 | */ |
7874 | - if (len > INT_MAX) |
7875 | + if (len > INT_MAX - transhdrlen) |
7876 | return -EMSGSIZE; |
7877 | + ulen = len + transhdrlen; |
7878 | |
7879 | /* Mirror BSD error message compatibility */ |
7880 | if (msg->msg_flags & MSG_OOB) |
7881 | diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c |
7882 | index ae40593daf214..9e8a5c4862d04 100644 |
7883 | --- a/net/openvswitch/actions.c |
7884 | +++ b/net/openvswitch/actions.c |
7885 | @@ -377,6 +377,7 @@ static void set_ip_addr(struct sk_buff *skb, struct iphdr *nh, |
7886 | update_ip_l4_checksum(skb, nh, *addr, new_addr); |
7887 | csum_replace4(&nh->check, *addr, new_addr); |
7888 | skb_clear_hash(skb); |
7889 | + ovs_ct_clear(skb, NULL); |
7890 | *addr = new_addr; |
7891 | } |
7892 | |
7893 | @@ -424,6 +425,7 @@ static void set_ipv6_addr(struct sk_buff *skb, u8 l4_proto, |
7894 | update_ipv6_checksum(skb, l4_proto, addr, new_addr); |
7895 | |
7896 | skb_clear_hash(skb); |
7897 | + ovs_ct_clear(skb, NULL); |
7898 | memcpy(addr, new_addr, sizeof(__be32[4])); |
7899 | } |
7900 | |
7901 | @@ -664,6 +666,7 @@ static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key, |
7902 | static void set_tp_port(struct sk_buff *skb, __be16 *port, |
7903 | __be16 new_port, __sum16 *check) |
7904 | { |
7905 | + ovs_ct_clear(skb, NULL); |
7906 | inet_proto_csum_replace2(check, skb, *port, new_port, false); |
7907 | *port = new_port; |
7908 | } |
7909 | @@ -703,6 +706,7 @@ static int set_udp(struct sk_buff *skb, struct sw_flow_key *flow_key, |
7910 | uh->dest = dst; |
7911 | flow_key->tp.src = src; |
7912 | flow_key->tp.dst = dst; |
7913 | + ovs_ct_clear(skb, NULL); |
7914 | } |
7915 | |
7916 | skb_clear_hash(skb); |
7917 | @@ -765,6 +769,8 @@ static int set_sctp(struct sk_buff *skb, struct sw_flow_key *flow_key, |
7918 | sh->checksum = old_csum ^ old_correct_csum ^ new_csum; |
7919 | |
7920 | skb_clear_hash(skb); |
7921 | + ovs_ct_clear(skb, NULL); |
7922 | + |
7923 | flow_key->tp.src = sh->source; |
7924 | flow_key->tp.dst = sh->dest; |
7925 | |
7926 | diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c |
7927 | index 816036b9c223a..78448b6888ddc 100644 |
7928 | --- a/net/openvswitch/conntrack.c |
7929 | +++ b/net/openvswitch/conntrack.c |
7930 | @@ -1319,7 +1319,8 @@ int ovs_ct_clear(struct sk_buff *skb, struct sw_flow_key *key) |
7931 | if (skb_nfct(skb)) { |
7932 | nf_conntrack_put(skb_nfct(skb)); |
7933 | nf_ct_set(skb, NULL, IP_CT_UNTRACKED); |
7934 | - ovs_ct_fill_key(skb, key); |
7935 | + if (key) |
7936 | + ovs_ct_fill_key(skb, key); |
7937 | } |
7938 | |
7939 | return 0; |
7940 | diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c |
7941 | index 8461de79f67b4..67125939d7eee 100644 |
7942 | --- a/net/openvswitch/flow_netlink.c |
7943 | +++ b/net/openvswitch/flow_netlink.c |
7944 | @@ -2266,6 +2266,51 @@ static struct sw_flow_actions *nla_alloc_flow_actions(int size) |
7945 | return sfa; |
7946 | } |
7947 | |
7948 | +static void ovs_nla_free_nested_actions(const struct nlattr *actions, int len); |
7949 | + |
7950 | +static void ovs_nla_free_check_pkt_len_action(const struct nlattr *action) |
7951 | +{ |
7952 | + const struct nlattr *a; |
7953 | + int rem; |
7954 | + |
7955 | + nla_for_each_nested(a, action, rem) { |
7956 | + switch (nla_type(a)) { |
7957 | + case OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL: |
7958 | + case OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_GREATER: |
7959 | + ovs_nla_free_nested_actions(nla_data(a), nla_len(a)); |
7960 | + break; |
7961 | + } |
7962 | + } |
7963 | +} |
7964 | + |
7965 | +static void ovs_nla_free_clone_action(const struct nlattr *action) |
7966 | +{ |
7967 | + const struct nlattr *a = nla_data(action); |
7968 | + int rem = nla_len(action); |
7969 | + |
7970 | + switch (nla_type(a)) { |
7971 | + case OVS_CLONE_ATTR_EXEC: |
7972 | + /* The real list of actions follows this attribute. */ |
7973 | + a = nla_next(a, &rem); |
7974 | + ovs_nla_free_nested_actions(a, rem); |
7975 | + break; |
7976 | + } |
7977 | +} |
7978 | + |
7979 | +static void ovs_nla_free_sample_action(const struct nlattr *action) |
7980 | +{ |
7981 | + const struct nlattr *a = nla_data(action); |
7982 | + int rem = nla_len(action); |
7983 | + |
7984 | + switch (nla_type(a)) { |
7985 | + case OVS_SAMPLE_ATTR_ARG: |
7986 | + /* The real list of actions follows this attribute. */ |
7987 | + a = nla_next(a, &rem); |
7988 | + ovs_nla_free_nested_actions(a, rem); |
7989 | + break; |
7990 | + } |
7991 | +} |
7992 | + |
7993 | static void ovs_nla_free_set_action(const struct nlattr *a) |
7994 | { |
7995 | const struct nlattr *ovs_key = nla_data(a); |
7996 | @@ -2279,25 +2324,50 @@ static void ovs_nla_free_set_action(const struct nlattr *a) |
7997 | } |
7998 | } |
7999 | |
8000 | -void ovs_nla_free_flow_actions(struct sw_flow_actions *sf_acts) |
8001 | +static void ovs_nla_free_nested_actions(const struct nlattr *actions, int len) |
8002 | { |
8003 | const struct nlattr *a; |
8004 | int rem; |
8005 | |
8006 | - if (!sf_acts) |
8007 | + /* Whenever new actions are added, the need to update this |
8008 | + * function should be considered. |
8009 | + */ |
8010 | + BUILD_BUG_ON(OVS_ACTION_ATTR_MAX != 21); |
8011 | + |
8012 | + if (!actions) |
8013 | return; |
8014 | |
8015 | - nla_for_each_attr(a, sf_acts->actions, sf_acts->actions_len, rem) { |
8016 | + nla_for_each_attr(a, actions, len, rem) { |
8017 | switch (nla_type(a)) { |
8018 | - case OVS_ACTION_ATTR_SET: |
8019 | - ovs_nla_free_set_action(a); |
8020 | + case OVS_ACTION_ATTR_CHECK_PKT_LEN: |
8021 | + ovs_nla_free_check_pkt_len_action(a); |
8022 | break; |
8023 | + |
8024 | + case OVS_ACTION_ATTR_CLONE: |
8025 | + ovs_nla_free_clone_action(a); |
8026 | + break; |
8027 | + |
8028 | case OVS_ACTION_ATTR_CT: |
8029 | ovs_ct_free_action(a); |
8030 | break; |
8031 | + |
8032 | + case OVS_ACTION_ATTR_SAMPLE: |
8033 | + ovs_nla_free_sample_action(a); |
8034 | + break; |
8035 | + |
8036 | + case OVS_ACTION_ATTR_SET: |
8037 | + ovs_nla_free_set_action(a); |
8038 | + break; |
8039 | } |
8040 | } |
8041 | +} |
8042 | + |
8043 | +void ovs_nla_free_flow_actions(struct sw_flow_actions *sf_acts) |
8044 | +{ |
8045 | + if (!sf_acts) |
8046 | + return; |
8047 | |
8048 | + ovs_nla_free_nested_actions(sf_acts->actions, sf_acts->actions_len); |
8049 | kfree(sf_acts); |
8050 | } |
8051 | |
8052 | diff --git a/net/sched/act_police.c b/net/sched/act_police.c |
8053 | index 8fd23a8b88a5e..a7660b602237d 100644 |
8054 | --- a/net/sched/act_police.c |
8055 | +++ b/net/sched/act_police.c |
8056 | @@ -213,6 +213,20 @@ release_idr: |
8057 | return err; |
8058 | } |
8059 | |
8060 | +static bool tcf_police_mtu_check(struct sk_buff *skb, u32 limit) |
8061 | +{ |
8062 | + u32 len; |
8063 | + |
8064 | + if (skb_is_gso(skb)) |
8065 | + return skb_gso_validate_mac_len(skb, limit); |
8066 | + |
8067 | + len = qdisc_pkt_len(skb); |
8068 | + if (skb_at_tc_ingress(skb)) |
8069 | + len += skb->mac_len; |
8070 | + |
8071 | + return len <= limit; |
8072 | +} |
8073 | + |
8074 | static int tcf_police_act(struct sk_buff *skb, const struct tc_action *a, |
8075 | struct tcf_result *res) |
8076 | { |
8077 | @@ -235,7 +249,7 @@ static int tcf_police_act(struct sk_buff *skb, const struct tc_action *a, |
8078 | goto inc_overlimits; |
8079 | } |
8080 | |
8081 | - if (qdisc_pkt_len(skb) <= p->tcfp_mtu) { |
8082 | + if (tcf_police_mtu_check(skb, p->tcfp_mtu)) { |
8083 | if (!p->rate_present) { |
8084 | ret = p->tcfp_result; |
8085 | goto end; |
8086 | diff --git a/scripts/faddr2line b/scripts/faddr2line |
8087 | index 0e6268d598835..94ed98dd899f3 100755 |
8088 | --- a/scripts/faddr2line |
8089 | +++ b/scripts/faddr2line |
8090 | @@ -95,17 +95,25 @@ __faddr2line() { |
8091 | local print_warnings=$4 |
8092 | |
8093 | local sym_name=${func_addr%+*} |
8094 | - local offset=${func_addr#*+} |
8095 | - offset=${offset%/*} |
8096 | + local func_offset=${func_addr#*+} |
8097 | + func_offset=${func_offset%/*} |
8098 | local user_size= |
8099 | + local file_type |
8100 | + local is_vmlinux=0 |
8101 | [[ $func_addr =~ "/" ]] && user_size=${func_addr#*/} |
8102 | |
8103 | - if [[ -z $sym_name ]] || [[ -z $offset ]] || [[ $sym_name = $func_addr ]]; then |
8104 | + if [[ -z $sym_name ]] || [[ -z $func_offset ]] || [[ $sym_name = $func_addr ]]; then |
8105 | warn "bad func+offset $func_addr" |
8106 | DONE=1 |
8107 | return |
8108 | fi |
8109 | |
8110 | + # vmlinux uses absolute addresses in the section table rather than |
8111 | + # section offsets. |
8112 | + local file_type=$(${READELF} --file-header $objfile | |
8113 | + ${AWK} '$1 == "Type:" { print $2; exit }') |
8114 | + [[ $file_type = "EXEC" ]] && is_vmlinux=1 |
8115 | + |
8116 | # Go through each of the object's symbols which match the func name. |
8117 | # In rare cases there might be duplicates, in which case we print all |
8118 | # matches. |
8119 | @@ -114,9 +122,11 @@ __faddr2line() { |
8120 | local sym_addr=0x${fields[1]} |
8121 | local sym_elf_size=${fields[2]} |
8122 | local sym_sec=${fields[6]} |
8123 | + local sec_size |
8124 | + local sec_name |
8125 | |
8126 | # Get the section size: |
8127 | - local sec_size=$(${READELF} --section-headers --wide $objfile | |
8128 | + sec_size=$(${READELF} --section-headers --wide $objfile | |
8129 | sed 's/\[ /\[/' | |
8130 | ${AWK} -v sec=$sym_sec '$1 == "[" sec "]" { print "0x" $6; exit }') |
8131 | |
8132 | @@ -126,6 +136,17 @@ __faddr2line() { |
8133 | return |
8134 | fi |
8135 | |
8136 | + # Get the section name: |
8137 | + sec_name=$(${READELF} --section-headers --wide $objfile | |
8138 | + sed 's/\[ /\[/' | |
8139 | + ${AWK} -v sec=$sym_sec '$1 == "[" sec "]" { print $2; exit }') |
8140 | + |
8141 | + if [[ -z $sec_name ]]; then |
8142 | + warn "bad section name: section: $sym_sec" |
8143 | + DONE=1 |
8144 | + return |
8145 | + fi |
8146 | + |
8147 | # Calculate the symbol size. |
8148 | # |
8149 | # Unfortunately we can't use the ELF size, because kallsyms |
8150 | @@ -174,10 +195,10 @@ __faddr2line() { |
8151 | |
8152 | sym_size=0x$(printf %x $sym_size) |
8153 | |
8154 | - # Calculate the section address from user-supplied offset: |
8155 | - local addr=$(($sym_addr + $offset)) |
8156 | + # Calculate the address from user-supplied offset: |
8157 | + local addr=$(($sym_addr + $func_offset)) |
8158 | if [[ -z $addr ]] || [[ $addr = 0 ]]; then |
8159 | - warn "bad address: $sym_addr + $offset" |
8160 | + warn "bad address: $sym_addr + $func_offset" |
8161 | DONE=1 |
8162 | return |
8163 | fi |
8164 | @@ -191,9 +212,9 @@ __faddr2line() { |
8165 | fi |
8166 | |
8167 | # Make sure the provided offset is within the symbol's range: |
8168 | - if [[ $offset -gt $sym_size ]]; then |
8169 | + if [[ $func_offset -gt $sym_size ]]; then |
8170 | [[ $print_warnings = 1 ]] && |
8171 | - echo "skipping $sym_name address at $addr due to size mismatch ($offset > $sym_size)" |
8172 | + echo "skipping $sym_name address at $addr due to size mismatch ($func_offset > $sym_size)" |
8173 | continue |
8174 | fi |
8175 | |
8176 | @@ -202,11 +223,13 @@ __faddr2line() { |
8177 | [[ $FIRST = 0 ]] && echo |
8178 | FIRST=0 |
8179 | |
8180 | - echo "$sym_name+$offset/$sym_size:" |
8181 | + echo "$sym_name+$func_offset/$sym_size:" |
8182 | |
8183 | # Pass section address to addr2line and strip absolute paths |
8184 | # from the output: |
8185 | - local output=$(${ADDR2LINE} -fpie $objfile $addr | sed "s; $dir_prefix\(\./\)*; ;") |
8186 | + local args="--functions --pretty-print --inlines --exe=$objfile" |
8187 | + [[ $is_vmlinux = 0 ]] && args="$args --section=$sec_name" |
8188 | + local output=$(${ADDR2LINE} $args $addr | sed "s; $dir_prefix\(\./\)*; ;") |
8189 | [[ -z $output ]] && continue |
8190 | |
8191 | # Default output (non --list): |
8192 | diff --git a/sound/hda/hdac_device.c b/sound/hda/hdac_device.c |
8193 | index b84e12f4f8046..489f996d86bcb 100644 |
8194 | --- a/sound/hda/hdac_device.c |
8195 | +++ b/sound/hda/hdac_device.c |
8196 | @@ -656,6 +656,7 @@ static struct hda_vendor_id hda_vendor_ids[] = { |
8197 | { 0x14f1, "Conexant" }, |
8198 | { 0x17e8, "Chrontel" }, |
8199 | { 0x1854, "LG" }, |
8200 | + { 0x19e5, "Huawei" }, |
8201 | { 0x1aec, "Wolfson Microelectronics" }, |
8202 | { 0x1af4, "QEMU" }, |
8203 | { 0x434d, "C-Media" }, |
8204 | diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c |
8205 | index 8a221866ab01b..8c37de7793463 100644 |
8206 | --- a/sound/pci/hda/patch_realtek.c |
8207 | +++ b/sound/pci/hda/patch_realtek.c |
8208 | @@ -382,6 +382,7 @@ static void alc_fill_eapd_coef(struct hda_codec *codec) |
8209 | case 0x10ec0245: |
8210 | case 0x10ec0255: |
8211 | case 0x10ec0256: |
8212 | + case 0x19e58326: |
8213 | case 0x10ec0257: |
8214 | case 0x10ec0282: |
8215 | case 0x10ec0283: |
8216 | @@ -519,6 +520,7 @@ static void alc_shutup_pins(struct hda_codec *codec) |
8217 | switch (codec->core.vendor_id) { |
8218 | case 0x10ec0236: |
8219 | case 0x10ec0256: |
8220 | + case 0x19e58326: |
8221 | case 0x10ec0283: |
8222 | case 0x10ec0286: |
8223 | case 0x10ec0288: |
8224 | @@ -3194,6 +3196,7 @@ static void alc_disable_headset_jack_key(struct hda_codec *codec) |
8225 | case 0x10ec0230: |
8226 | case 0x10ec0236: |
8227 | case 0x10ec0256: |
8228 | + case 0x19e58326: |
8229 | alc_write_coef_idx(codec, 0x48, 0x0); |
8230 | alc_update_coef_idx(codec, 0x49, 0x0045, 0x0); |
8231 | break; |
8232 | @@ -3222,6 +3225,7 @@ static void alc_enable_headset_jack_key(struct hda_codec *codec) |
8233 | case 0x10ec0230: |
8234 | case 0x10ec0236: |
8235 | case 0x10ec0256: |
8236 | + case 0x19e58326: |
8237 | alc_write_coef_idx(codec, 0x48, 0xd011); |
8238 | alc_update_coef_idx(codec, 0x49, 0x007f, 0x0045); |
8239 | break; |
8240 | @@ -4292,6 +4296,12 @@ static void alc_fixup_hp_gpio_led(struct hda_codec *codec, |
8241 | } |
8242 | } |
8243 | |
8244 | +static void alc236_fixup_hp_gpio_led(struct hda_codec *codec, |
8245 | + const struct hda_fixup *fix, int action) |
8246 | +{ |
8247 | + alc_fixup_hp_gpio_led(codec, action, 0x02, 0x01); |
8248 | +} |
8249 | + |
8250 | static void alc269_fixup_hp_gpio_led(struct hda_codec *codec, |
8251 | const struct hda_fixup *fix, int action) |
8252 | { |
8253 | @@ -4684,6 +4694,7 @@ static void alc_headset_mode_unplugged(struct hda_codec *codec) |
8254 | case 0x10ec0230: |
8255 | case 0x10ec0236: |
8256 | case 0x10ec0256: |
8257 | + case 0x19e58326: |
8258 | alc_process_coef_fw(codec, coef0256); |
8259 | break; |
8260 | case 0x10ec0234: |
8261 | @@ -4799,6 +4810,7 @@ static void alc_headset_mode_mic_in(struct hda_codec *codec, hda_nid_t hp_pin, |
8262 | case 0x10ec0230: |
8263 | case 0x10ec0236: |
8264 | case 0x10ec0256: |
8265 | + case 0x19e58326: |
8266 | alc_write_coef_idx(codec, 0x45, 0xc489); |
8267 | snd_hda_set_pin_ctl_cache(codec, hp_pin, 0); |
8268 | alc_process_coef_fw(codec, coef0256); |
8269 | @@ -4949,6 +4961,7 @@ static void alc_headset_mode_default(struct hda_codec *codec) |
8270 | case 0x10ec0230: |
8271 | case 0x10ec0236: |
8272 | case 0x10ec0256: |
8273 | + case 0x19e58326: |
8274 | alc_write_coef_idx(codec, 0x1b, 0x0e4b); |
8275 | alc_write_coef_idx(codec, 0x45, 0xc089); |
8276 | msleep(50); |
8277 | @@ -5048,6 +5061,7 @@ static void alc_headset_mode_ctia(struct hda_codec *codec) |
8278 | case 0x10ec0230: |
8279 | case 0x10ec0236: |
8280 | case 0x10ec0256: |
8281 | + case 0x19e58326: |
8282 | alc_process_coef_fw(codec, coef0256); |
8283 | break; |
8284 | case 0x10ec0234: |
8285 | @@ -5162,6 +5176,7 @@ static void alc_headset_mode_omtp(struct hda_codec *codec) |
8286 | case 0x10ec0230: |
8287 | case 0x10ec0236: |
8288 | case 0x10ec0256: |
8289 | + case 0x19e58326: |
8290 | alc_process_coef_fw(codec, coef0256); |
8291 | break; |
8292 | case 0x10ec0234: |
8293 | @@ -5258,6 +5273,7 @@ static void alc_determine_headset_type(struct hda_codec *codec) |
8294 | case 0x10ec0230: |
8295 | case 0x10ec0236: |
8296 | case 0x10ec0256: |
8297 | + case 0x19e58326: |
8298 | alc_write_coef_idx(codec, 0x1b, 0x0e4b); |
8299 | alc_write_coef_idx(codec, 0x06, 0x6104); |
8300 | alc_write_coefex_idx(codec, 0x57, 0x3, 0x09a3); |
8301 | @@ -5552,6 +5568,7 @@ static void alc255_set_default_jack_type(struct hda_codec *codec) |
8302 | case 0x10ec0230: |
8303 | case 0x10ec0236: |
8304 | case 0x10ec0256: |
8305 | + case 0x19e58326: |
8306 | alc_process_coef_fw(codec, alc256fw); |
8307 | break; |
8308 | } |
8309 | @@ -6155,6 +6172,7 @@ static void alc_combo_jack_hp_jd_restart(struct hda_codec *codec) |
8310 | case 0x10ec0236: |
8311 | case 0x10ec0255: |
8312 | case 0x10ec0256: |
8313 | + case 0x19e58326: |
8314 | alc_update_coef_idx(codec, 0x1b, 0x8000, 1 << 15); /* Reset HP JD */ |
8315 | alc_update_coef_idx(codec, 0x1b, 0x8000, 0 << 15); |
8316 | break; |
8317 | @@ -6465,6 +6483,7 @@ enum { |
8318 | ALC294_FIXUP_ASUS_GU502_VERBS, |
8319 | ALC285_FIXUP_HP_GPIO_LED, |
8320 | ALC285_FIXUP_HP_MUTE_LED, |
8321 | + ALC236_FIXUP_HP_GPIO_LED, |
8322 | ALC236_FIXUP_HP_MUTE_LED, |
8323 | ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET, |
8324 | ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET, |
8325 | @@ -7741,6 +7760,10 @@ static const struct hda_fixup alc269_fixups[] = { |
8326 | .type = HDA_FIXUP_FUNC, |
8327 | .v.func = alc285_fixup_hp_mute_led, |
8328 | }, |
8329 | + [ALC236_FIXUP_HP_GPIO_LED] = { |
8330 | + .type = HDA_FIXUP_FUNC, |
8331 | + .v.func = alc236_fixup_hp_gpio_led, |
8332 | + }, |
8333 | [ALC236_FIXUP_HP_MUTE_LED] = { |
8334 | .type = HDA_FIXUP_FUNC, |
8335 | .v.func = alc236_fixup_hp_mute_led, |
8336 | @@ -8162,6 +8185,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { |
8337 | SND_PCI_QUIRK(0x103c, 0x8760, "HP", ALC285_FIXUP_HP_MUTE_LED), |
8338 | SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED), |
8339 | SND_PCI_QUIRK(0x103c, 0x877d, "HP", ALC236_FIXUP_HP_MUTE_LED), |
8340 | + SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), |
8341 | + SND_PCI_QUIRK(0x103c, 0x89aa, "HP EliteBook 630 G9", ALC236_FIXUP_HP_GPIO_LED), |
8342 | SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), |
8343 | SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), |
8344 | SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), |
8345 | @@ -9160,6 +9185,7 @@ static int patch_alc269(struct hda_codec *codec) |
8346 | case 0x10ec0230: |
8347 | case 0x10ec0236: |
8348 | case 0x10ec0256: |
8349 | + case 0x19e58326: |
8350 | spec->codec_variant = ALC269_TYPE_ALC256; |
8351 | spec->shutup = alc256_shutup; |
8352 | spec->init_hook = alc256_init; |
8353 | @@ -10602,6 +10628,7 @@ static const struct hda_device_id snd_hda_id_realtek[] = { |
8354 | HDA_CODEC_ENTRY(0x10ec0b00, "ALCS1200A", patch_alc882), |
8355 | HDA_CODEC_ENTRY(0x10ec1168, "ALC1220", patch_alc882), |
8356 | HDA_CODEC_ENTRY(0x10ec1220, "ALC1220", patch_alc882), |
8357 | + HDA_CODEC_ENTRY(0x19e58326, "HW8326", patch_alc269), |
8358 | {} /* terminator */ |
8359 | }; |
8360 | MODULE_DEVICE_TABLE(hdaudio, snd_hda_id_realtek); |
8361 | diff --git a/sound/soc/codecs/cs35l36.c b/sound/soc/codecs/cs35l36.c |
8362 | index e9b5f76f27a86..aa32b8c26578a 100644 |
8363 | --- a/sound/soc/codecs/cs35l36.c |
8364 | +++ b/sound/soc/codecs/cs35l36.c |
8365 | @@ -444,7 +444,8 @@ static bool cs35l36_volatile_reg(struct device *dev, unsigned int reg) |
8366 | } |
8367 | } |
8368 | |
8369 | -static DECLARE_TLV_DB_SCALE(dig_vol_tlv, -10200, 25, 0); |
8370 | +static const DECLARE_TLV_DB_RANGE(dig_vol_tlv, 0, 912, |
8371 | + TLV_DB_MINMAX_ITEM(-10200, 1200)); |
8372 | static DECLARE_TLV_DB_SCALE(amp_gain_tlv, 0, 1, 1); |
8373 | |
8374 | static const char * const cs35l36_pcm_sftramp_text[] = { |
8375 | diff --git a/sound/soc/codecs/cs42l52.c b/sound/soc/codecs/cs42l52.c |
8376 | index 2ea4cba3be2ad..6c054b357205b 100644 |
8377 | --- a/sound/soc/codecs/cs42l52.c |
8378 | +++ b/sound/soc/codecs/cs42l52.c |
8379 | @@ -137,7 +137,9 @@ static DECLARE_TLV_DB_SCALE(mic_tlv, 1600, 100, 0); |
8380 | |
8381 | static DECLARE_TLV_DB_SCALE(pga_tlv, -600, 50, 0); |
8382 | |
8383 | -static DECLARE_TLV_DB_SCALE(mix_tlv, -50, 50, 0); |
8384 | +static DECLARE_TLV_DB_SCALE(pass_tlv, -6000, 50, 0); |
8385 | + |
8386 | +static DECLARE_TLV_DB_SCALE(mix_tlv, -5150, 50, 0); |
8387 | |
8388 | static DECLARE_TLV_DB_SCALE(beep_tlv, -56, 200, 0); |
8389 | |
8390 | @@ -351,7 +353,7 @@ static const struct snd_kcontrol_new cs42l52_snd_controls[] = { |
8391 | CS42L52_SPKB_VOL, 0, 0x40, 0xC0, hl_tlv), |
8392 | |
8393 | SOC_DOUBLE_R_SX_TLV("Bypass Volume", CS42L52_PASSTHRUA_VOL, |
8394 | - CS42L52_PASSTHRUB_VOL, 0, 0x88, 0x90, pga_tlv), |
8395 | + CS42L52_PASSTHRUB_VOL, 0, 0x88, 0x90, pass_tlv), |
8396 | |
8397 | SOC_DOUBLE("Bypass Mute", CS42L52_MISC_CTL, 4, 5, 1, 0), |
8398 | |
8399 | @@ -364,7 +366,7 @@ static const struct snd_kcontrol_new cs42l52_snd_controls[] = { |
8400 | CS42L52_ADCB_VOL, 0, 0xA0, 0x78, ipd_tlv), |
8401 | SOC_DOUBLE_R_SX_TLV("ADC Mixer Volume", |
8402 | CS42L52_ADCA_MIXER_VOL, CS42L52_ADCB_MIXER_VOL, |
8403 | - 0, 0x19, 0x7F, ipd_tlv), |
8404 | + 0, 0x19, 0x7F, mix_tlv), |
8405 | |
8406 | SOC_DOUBLE("ADC Switch", CS42L52_ADC_MISC_CTL, 0, 1, 1, 0), |
8407 | |
8408 | diff --git a/sound/soc/codecs/cs42l56.c b/sound/soc/codecs/cs42l56.c |
8409 | index 51d7a87ab4c3b..8be7d83f0ce9a 100644 |
8410 | --- a/sound/soc/codecs/cs42l56.c |
8411 | +++ b/sound/soc/codecs/cs42l56.c |
8412 | @@ -391,9 +391,9 @@ static const struct snd_kcontrol_new cs42l56_snd_controls[] = { |
8413 | SOC_DOUBLE("ADC Boost Switch", CS42L56_GAIN_BIAS_CTL, 3, 2, 1, 1), |
8414 | |
8415 | SOC_DOUBLE_R_SX_TLV("Headphone Volume", CS42L56_HPA_VOLUME, |
8416 | - CS42L56_HPB_VOLUME, 0, 0x84, 0x48, hl_tlv), |
8417 | + CS42L56_HPB_VOLUME, 0, 0x44, 0x48, hl_tlv), |
8418 | SOC_DOUBLE_R_SX_TLV("LineOut Volume", CS42L56_LOA_VOLUME, |
8419 | - CS42L56_LOB_VOLUME, 0, 0x84, 0x48, hl_tlv), |
8420 | + CS42L56_LOB_VOLUME, 0, 0x44, 0x48, hl_tlv), |
8421 | |
8422 | SOC_SINGLE_TLV("Bass Shelving Volume", CS42L56_TONE_CTL, |
8423 | 0, 0x00, 1, tone_tlv), |
8424 | diff --git a/sound/soc/codecs/cs53l30.c b/sound/soc/codecs/cs53l30.c |
8425 | index ed22361b35c14..a5a383b923054 100644 |
8426 | --- a/sound/soc/codecs/cs53l30.c |
8427 | +++ b/sound/soc/codecs/cs53l30.c |
8428 | @@ -347,22 +347,22 @@ static const struct snd_kcontrol_new cs53l30_snd_controls[] = { |
8429 | SOC_ENUM("ADC2 NG Delay", adc2_ng_delay_enum), |
8430 | |
8431 | SOC_SINGLE_SX_TLV("ADC1A PGA Volume", |
8432 | - CS53L30_ADC1A_AFE_CTL, 0, 0x34, 0x18, pga_tlv), |
8433 | + CS53L30_ADC1A_AFE_CTL, 0, 0x34, 0x24, pga_tlv), |
8434 | SOC_SINGLE_SX_TLV("ADC1B PGA Volume", |
8435 | - CS53L30_ADC1B_AFE_CTL, 0, 0x34, 0x18, pga_tlv), |
8436 | + CS53L30_ADC1B_AFE_CTL, 0, 0x34, 0x24, pga_tlv), |
8437 | SOC_SINGLE_SX_TLV("ADC2A PGA Volume", |
8438 | - CS53L30_ADC2A_AFE_CTL, 0, 0x34, 0x18, pga_tlv), |
8439 | + CS53L30_ADC2A_AFE_CTL, 0, 0x34, 0x24, pga_tlv), |
8440 | SOC_SINGLE_SX_TLV("ADC2B PGA Volume", |
8441 | - CS53L30_ADC2B_AFE_CTL, 0, 0x34, 0x18, pga_tlv), |
8442 | + CS53L30_ADC2B_AFE_CTL, 0, 0x34, 0x24, pga_tlv), |
8443 | |
8444 | SOC_SINGLE_SX_TLV("ADC1A Digital Volume", |
8445 | - CS53L30_ADC1A_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv), |
8446 | + CS53L30_ADC1A_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv), |
8447 | SOC_SINGLE_SX_TLV("ADC1B Digital Volume", |
8448 | - CS53L30_ADC1B_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv), |
8449 | + CS53L30_ADC1B_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv), |
8450 | SOC_SINGLE_SX_TLV("ADC2A Digital Volume", |
8451 | - CS53L30_ADC2A_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv), |
8452 | + CS53L30_ADC2A_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv), |
8453 | SOC_SINGLE_SX_TLV("ADC2B Digital Volume", |
8454 | - CS53L30_ADC2B_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv), |
8455 | + CS53L30_ADC2B_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv), |
8456 | }; |
8457 | |
8458 | static const struct snd_soc_dapm_widget cs53l30_dapm_widgets[] = { |
8459 | diff --git a/sound/soc/codecs/es8328.c b/sound/soc/codecs/es8328.c |
8460 | index fdf64c29f563d..4117ab6e9b6ff 100644 |
8461 | --- a/sound/soc/codecs/es8328.c |
8462 | +++ b/sound/soc/codecs/es8328.c |
8463 | @@ -161,13 +161,16 @@ static int es8328_put_deemph(struct snd_kcontrol *kcontrol, |
8464 | if (deemph > 1) |
8465 | return -EINVAL; |
8466 | |
8467 | + if (es8328->deemph == deemph) |
8468 | + return 0; |
8469 | + |
8470 | ret = es8328_set_deemph(component); |
8471 | if (ret < 0) |
8472 | return ret; |
8473 | |
8474 | es8328->deemph = deemph; |
8475 | |
8476 | - return 0; |
8477 | + return 1; |
8478 | } |
8479 | |
8480 | |
8481 | diff --git a/sound/soc/codecs/nau8822.c b/sound/soc/codecs/nau8822.c |
8482 | index 78db3bd0b3bcb..cd163978792e9 100644 |
8483 | --- a/sound/soc/codecs/nau8822.c |
8484 | +++ b/sound/soc/codecs/nau8822.c |
8485 | @@ -740,6 +740,8 @@ static int nau8822_set_pll(struct snd_soc_dai *dai, int pll_id, int source, |
8486 | pll_param->pll_int, pll_param->pll_frac, |
8487 | pll_param->mclk_scaler, pll_param->pre_factor); |
8488 | |
8489 | + snd_soc_component_update_bits(component, |
8490 | + NAU8822_REG_POWER_MANAGEMENT_1, NAU8822_PLL_EN_MASK, NAU8822_PLL_OFF); |
8491 | snd_soc_component_update_bits(component, |
8492 | NAU8822_REG_PLL_N, NAU8822_PLLMCLK_DIV2 | NAU8822_PLLN_MASK, |
8493 | (pll_param->pre_factor ? NAU8822_PLLMCLK_DIV2 : 0) | |
8494 | @@ -757,6 +759,8 @@ static int nau8822_set_pll(struct snd_soc_dai *dai, int pll_id, int source, |
8495 | pll_param->mclk_scaler << NAU8822_MCLKSEL_SFT); |
8496 | snd_soc_component_update_bits(component, |
8497 | NAU8822_REG_CLOCKING, NAU8822_CLKM_MASK, NAU8822_CLKM_PLL); |
8498 | + snd_soc_component_update_bits(component, |
8499 | + NAU8822_REG_POWER_MANAGEMENT_1, NAU8822_PLL_EN_MASK, NAU8822_PLL_ON); |
8500 | |
8501 | return 0; |
8502 | } |
8503 | diff --git a/sound/soc/codecs/nau8822.h b/sound/soc/codecs/nau8822.h |
8504 | index 489191ff187ec..b45d42c15de6b 100644 |
8505 | --- a/sound/soc/codecs/nau8822.h |
8506 | +++ b/sound/soc/codecs/nau8822.h |
8507 | @@ -90,6 +90,9 @@ |
8508 | #define NAU8822_REFIMP_3K 0x3 |
8509 | #define NAU8822_IOBUF_EN (0x1 << 2) |
8510 | #define NAU8822_ABIAS_EN (0x1 << 3) |
8511 | +#define NAU8822_PLL_EN_MASK (0x1 << 5) |
8512 | +#define NAU8822_PLL_ON (0x1 << 5) |
8513 | +#define NAU8822_PLL_OFF (0x0 << 5) |
8514 | |
8515 | /* NAU8822_REG_AUDIO_INTERFACE (0x4) */ |
8516 | #define NAU8822_AIFMT_MASK (0x3 << 3) |
8517 | diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c |
8518 | index d9d59f45833fd..ebaee468057b8 100644 |
8519 | --- a/sound/soc/codecs/wm8962.c |
8520 | +++ b/sound/soc/codecs/wm8962.c |
8521 | @@ -3854,6 +3854,7 @@ static int wm8962_runtime_suspend(struct device *dev) |
8522 | #endif |
8523 | |
8524 | static const struct dev_pm_ops wm8962_pm = { |
8525 | + SET_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, pm_runtime_force_resume) |
8526 | SET_RUNTIME_PM_OPS(wm8962_runtime_suspend, wm8962_runtime_resume, NULL) |
8527 | }; |
8528 | |
8529 | diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c |
8530 | index 13672928da997..aedfa6b2895bd 100644 |
8531 | --- a/sound/soc/codecs/wm_adsp.c |
8532 | +++ b/sound/soc/codecs/wm_adsp.c |
8533 | @@ -791,7 +791,7 @@ int wm_adsp_fw_put(struct snd_kcontrol *kcontrol, |
8534 | struct snd_soc_component *component = snd_soc_kcontrol_component(kcontrol); |
8535 | struct soc_enum *e = (struct soc_enum *)kcontrol->private_value; |
8536 | struct wm_adsp *dsp = snd_soc_component_get_drvdata(component); |
8537 | - int ret = 0; |
8538 | + int ret = 1; |
8539 | |
8540 | if (ucontrol->value.enumerated.item[0] == dsp[e->shift_l].fw) |
8541 | return 0; |