Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.19 commit in: /
Date: Sat, 25 Jun 2022 10:22:40
Message-Id: 1656152542.05804623611103d533e73623346a4c790451607a.mpagano@gentoo
1 commit: 05804623611103d533e73623346a4c790451607a
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sat Jun 25 10:22:22 2022 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Sat Jun 25 10:22:22 2022 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=05804623
7
8 Linux patch 4.19.249
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1248_linux-4.19.249.patch | 7929 +++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 7933 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index e2ee3819..de0e7128 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -1031,6 +1031,10 @@ Patch: 1247_linux-4.19.248.patch
21 From: https://www.kernel.org
22 Desc: Linux 4.19.248
23
24 +Patch: 1248_linux-4.19.249.patch
25 +From: https://www.kernel.org
26 +Desc: Linux 4.19.249
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1248_linux-4.19.249.patch b/1248_linux-4.19.249.patch
33 new file mode 100644
34 index 00000000..d2d01e98
35 --- /dev/null
36 +++ b/1248_linux-4.19.249.patch
37 @@ -0,0 +1,7929 @@
38 +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
39 +index 1dea3d23fc4ca..500032af01927 100644
40 +--- a/Documentation/admin-guide/kernel-parameters.txt
41 ++++ b/Documentation/admin-guide/kernel-parameters.txt
42 +@@ -3697,6 +3697,12 @@
43 + fully seed the kernel's CRNG. Default is controlled
44 + by CONFIG_RANDOM_TRUST_CPU.
45 +
46 ++ random.trust_bootloader={on,off}
47 ++ [KNL] Enable or disable trusting the use of a
48 ++ seed passed by the bootloader (if available) to
49 ++ fully seed the kernel's CRNG. Default is controlled
50 ++ by CONFIG_RANDOM_TRUST_BOOTLOADER.
51 ++
52 + ras=option[,option,...] [KNL] RAS-specific options
53 +
54 + cec_disable [X86]
55 +diff --git a/Documentation/hwmon/hwmon-kernel-api.txt b/Documentation/hwmon/hwmon-kernel-api.txt
56 +index 4981df157b04a..eb7a78aebb380 100644
57 +--- a/Documentation/hwmon/hwmon-kernel-api.txt
58 ++++ b/Documentation/hwmon/hwmon-kernel-api.txt
59 +@@ -71,7 +71,7 @@ hwmon_device_register_with_info is the most comprehensive and preferred means
60 + to register a hardware monitoring device. It creates the standard sysfs
61 + attributes in the hardware monitoring core, letting the driver focus on reading
62 + from and writing to the chip instead of having to bother with sysfs attributes.
63 +-The parent device parameter as well as the chip parameter must not be NULL. Its
64 ++The parent device parameter cannot be NULL with non-NULL chip info. Its
65 + parameters are described in more detail below.
66 +
67 + devm_hwmon_device_register_with_info is similar to
68 +diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
69 +index 8bd3b01539593..db1676525ca35 100644
70 +--- a/Documentation/sysctl/kernel.txt
71 ++++ b/Documentation/sysctl/kernel.txt
72 +@@ -821,9 +821,40 @@ The kernel command line parameter printk.devkmsg= overrides this and is
73 + a one-time setting until next reboot: once set, it cannot be changed by
74 + this sysctl interface anymore.
75 +
76 +-==============================================================
77 ++pty
78 ++===
79 ++
80 ++See Documentation/filesystems/devpts.rst.
81 ++
82 ++
83 ++random
84 ++======
85 ++
86 ++This is a directory, with the following entries:
87 ++
88 ++* ``boot_id``: a UUID generated the first time this is retrieved, and
89 ++ unvarying after that;
90 ++
91 ++* ``uuid``: a UUID generated every time this is retrieved (this can
92 ++ thus be used to generate UUIDs at will);
93 ++
94 ++* ``entropy_avail``: the pool's entropy count, in bits;
95 ++
96 ++* ``poolsize``: the entropy pool size, in bits;
97 ++
98 ++* ``urandom_min_reseed_secs``: obsolete (used to determine the minimum
99 ++ number of seconds between urandom pool reseeding). This file is
100 ++ writable for compatibility purposes, but writing to it has no effect
101 ++ on any RNG behavior;
102 ++
103 ++* ``write_wakeup_threshold``: when the entropy count drops below this
104 ++ (as a number of bits), processes waiting to write to ``/dev/random``
105 ++ are woken up. This file is writable for compatibility purposes, but
106 ++ writing to it has no effect on any RNG behavior.
107 ++
108 +
109 +-randomize_va_space:
110 ++randomize_va_space
111 ++==================
112 +
113 + This option can be used to select the type of process address
114 + space randomization that is used in the system, for architectures
115 +diff --git a/MAINTAINERS b/MAINTAINERS
116 +index 1061db6fbc326..af0f322cf2f7c 100644
117 +--- a/MAINTAINERS
118 ++++ b/MAINTAINERS
119 +@@ -12239,6 +12239,7 @@ F: arch/mips/configs/generic/board-ranchu.config
120 +
121 + RANDOM NUMBER DRIVER
122 + M: "Theodore Ts'o" <tytso@×××.edu>
123 ++M: Jason A. Donenfeld <Jason@×××××.com>
124 + S: Maintained
125 + F: drivers/char/random.c
126 +
127 +diff --git a/Makefile b/Makefile
128 +index afb8b46398da6..14ba089d5b016 100644
129 +--- a/Makefile
130 ++++ b/Makefile
131 +@@ -1,7 +1,7 @@
132 + # SPDX-License-Identifier: GPL-2.0
133 + VERSION = 4
134 + PATCHLEVEL = 19
135 +-SUBLEVEL = 248
136 ++SUBLEVEL = 249
137 + EXTRAVERSION =
138 + NAME = "People's Front"
139 +
140 +diff --git a/arch/alpha/include/asm/timex.h b/arch/alpha/include/asm/timex.h
141 +index b565cc6f408e9..f89798da8a147 100644
142 +--- a/arch/alpha/include/asm/timex.h
143 ++++ b/arch/alpha/include/asm/timex.h
144 +@@ -28,5 +28,6 @@ static inline cycles_t get_cycles (void)
145 + __asm__ __volatile__ ("rpcc %0" : "=r"(ret));
146 + return ret;
147 + }
148 ++#define get_cycles get_cycles
149 +
150 + #endif
151 +diff --git a/arch/arm/include/asm/timex.h b/arch/arm/include/asm/timex.h
152 +index f6fcc67ef06ef..c06d38f0df8ec 100644
153 +--- a/arch/arm/include/asm/timex.h
154 ++++ b/arch/arm/include/asm/timex.h
155 +@@ -14,5 +14,6 @@
156 +
157 + typedef unsigned long cycles_t;
158 + #define get_cycles() ({ cycles_t c; read_current_timer(&c) ? 0 : c; })
159 ++#define random_get_entropy() (((unsigned long)get_cycles()) ?: random_get_entropy_fallback())
160 +
161 + #endif
162 +diff --git a/arch/arm64/kernel/ftrace.c b/arch/arm64/kernel/ftrace.c
163 +index b6618391be8c6..4254d7808def1 100644
164 +--- a/arch/arm64/kernel/ftrace.c
165 ++++ b/arch/arm64/kernel/ftrace.c
166 +@@ -72,7 +72,7 @@ int ftrace_make_call(struct dyn_ftrace *rec, unsigned long addr)
167 + {
168 + unsigned long pc = rec->ip;
169 + u32 old, new;
170 +- long offset = (long)pc - (long)addr;
171 ++ long offset = (long)addr - (long)pc;
172 +
173 + if (offset < -SZ_128M || offset >= SZ_128M) {
174 + #ifdef CONFIG_ARM64_MODULE_PLTS
175 +@@ -151,7 +151,7 @@ int ftrace_make_nop(struct module *mod, struct dyn_ftrace *rec,
176 + unsigned long pc = rec->ip;
177 + bool validate = true;
178 + u32 old = 0, new;
179 +- long offset = (long)pc - (long)addr;
180 ++ long offset = (long)addr - (long)pc;
181 +
182 + if (offset < -SZ_128M || offset >= SZ_128M) {
183 + #ifdef CONFIG_ARM64_MODULE_PLTS
184 +diff --git a/arch/ia64/include/asm/timex.h b/arch/ia64/include/asm/timex.h
185 +index 869a3ac6bf23a..7ccc077a60bed 100644
186 +--- a/arch/ia64/include/asm/timex.h
187 ++++ b/arch/ia64/include/asm/timex.h
188 +@@ -39,6 +39,7 @@ get_cycles (void)
189 + ret = ia64_getreg(_IA64_REG_AR_ITC);
190 + return ret;
191 + }
192 ++#define get_cycles get_cycles
193 +
194 + extern void ia64_cpu_local_tick (void);
195 + extern unsigned long long ia64_native_sched_clock (void);
196 +diff --git a/arch/m68k/include/asm/timex.h b/arch/m68k/include/asm/timex.h
197 +index 6a21d93582805..f4a7a340f4cae 100644
198 +--- a/arch/m68k/include/asm/timex.h
199 ++++ b/arch/m68k/include/asm/timex.h
200 +@@ -35,7 +35,7 @@ static inline unsigned long random_get_entropy(void)
201 + {
202 + if (mach_random_get_entropy)
203 + return mach_random_get_entropy();
204 +- return 0;
205 ++ return random_get_entropy_fallback();
206 + }
207 + #define random_get_entropy random_get_entropy
208 +
209 +diff --git a/arch/mips/include/asm/timex.h b/arch/mips/include/asm/timex.h
210 +index 8026baf46e729..2e107886f97ac 100644
211 +--- a/arch/mips/include/asm/timex.h
212 ++++ b/arch/mips/include/asm/timex.h
213 +@@ -76,25 +76,24 @@ static inline cycles_t get_cycles(void)
214 + else
215 + return 0; /* no usable counter */
216 + }
217 ++#define get_cycles get_cycles
218 +
219 + /*
220 + * Like get_cycles - but where c0_count is not available we desperately
221 + * use c0_random in an attempt to get at least a little bit of entropy.
222 +- *
223 +- * R6000 and R6000A neither have a count register nor a random register.
224 +- * That leaves no entropy source in the CPU itself.
225 + */
226 + static inline unsigned long random_get_entropy(void)
227 + {
228 +- unsigned int prid = read_c0_prid();
229 +- unsigned int imp = prid & PRID_IMP_MASK;
230 ++ unsigned int c0_random;
231 +
232 +- if (can_use_mips_counter(prid))
233 ++ if (can_use_mips_counter(read_c0_prid()))
234 + return read_c0_count();
235 +- else if (likely(imp != PRID_IMP_R6000 && imp != PRID_IMP_R6000A))
236 +- return read_c0_random();
237 ++
238 ++ if (cpu_has_3kex)
239 ++ c0_random = (read_c0_random() >> 8) & 0x3f;
240 + else
241 +- return 0; /* no usable register */
242 ++ c0_random = read_c0_random() & 0x3f;
243 ++ return (random_get_entropy_fallback() << 6) | (0x3f - c0_random);
244 + }
245 + #define random_get_entropy random_get_entropy
246 +
247 +diff --git a/arch/nios2/include/asm/timex.h b/arch/nios2/include/asm/timex.h
248 +index 2f2abb28ec2fd..9c9b50599ea30 100644
249 +--- a/arch/nios2/include/asm/timex.h
250 ++++ b/arch/nios2/include/asm/timex.h
251 +@@ -20,5 +20,8 @@
252 + typedef unsigned long cycles_t;
253 +
254 + extern cycles_t get_cycles(void);
255 ++#define get_cycles get_cycles
256 ++
257 ++#define random_get_entropy() (((unsigned long)get_cycles()) ?: random_get_entropy_fallback())
258 +
259 + #endif
260 +diff --git a/arch/parisc/include/asm/timex.h b/arch/parisc/include/asm/timex.h
261 +index 45537cd4d1d39..1cd2bd3eef33b 100644
262 +--- a/arch/parisc/include/asm/timex.h
263 ++++ b/arch/parisc/include/asm/timex.h
264 +@@ -12,9 +12,10 @@
265 +
266 + typedef unsigned long cycles_t;
267 +
268 +-static inline cycles_t get_cycles (void)
269 ++static inline cycles_t get_cycles(void)
270 + {
271 + return mfctl(16);
272 + }
273 ++#define get_cycles get_cycles
274 +
275 + #endif
276 +diff --git a/arch/powerpc/include/asm/archrandom.h b/arch/powerpc/include/asm/archrandom.h
277 +index a09595f00cabe..f0f16b4fc5ea1 100644
278 +--- a/arch/powerpc/include/asm/archrandom.h
279 ++++ b/arch/powerpc/include/asm/archrandom.h
280 +@@ -6,27 +6,28 @@
281 +
282 + #include <asm/machdep.h>
283 +
284 +-static inline int arch_get_random_long(unsigned long *v)
285 ++static inline bool arch_get_random_long(unsigned long *v)
286 + {
287 +- return 0;
288 ++ return false;
289 + }
290 +
291 +-static inline int arch_get_random_int(unsigned int *v)
292 ++static inline bool arch_get_random_int(unsigned int *v)
293 + {
294 +- return 0;
295 ++ return false;
296 + }
297 +
298 +-static inline int arch_get_random_seed_long(unsigned long *v)
299 ++static inline bool arch_get_random_seed_long(unsigned long *v)
300 + {
301 + if (ppc_md.get_random_seed)
302 + return ppc_md.get_random_seed(v);
303 +
304 +- return 0;
305 ++ return false;
306 + }
307 +-static inline int arch_get_random_seed_int(unsigned int *v)
308 ++
309 ++static inline bool arch_get_random_seed_int(unsigned int *v)
310 + {
311 + unsigned long val;
312 +- int rc;
313 ++ bool rc;
314 +
315 + rc = arch_get_random_seed_long(&val);
316 + if (rc)
317 +@@ -34,16 +35,6 @@ static inline int arch_get_random_seed_int(unsigned int *v)
318 +
319 + return rc;
320 + }
321 +-
322 +-static inline int arch_has_random(void)
323 +-{
324 +- return 0;
325 +-}
326 +-
327 +-static inline int arch_has_random_seed(void)
328 +-{
329 +- return !!ppc_md.get_random_seed;
330 +-}
331 + #endif /* CONFIG_ARCH_RANDOM */
332 +
333 + #ifdef CONFIG_PPC_POWERNV
334 +diff --git a/arch/powerpc/include/asm/ppc-opcode.h b/arch/powerpc/include/asm/ppc-opcode.h
335 +index d9d5391b2af6f..d0d3dab56225f 100644
336 +--- a/arch/powerpc/include/asm/ppc-opcode.h
337 ++++ b/arch/powerpc/include/asm/ppc-opcode.h
338 +@@ -207,6 +207,7 @@
339 + #define PPC_INST_ICBT 0x7c00002c
340 + #define PPC_INST_ICSWX 0x7c00032d
341 + #define PPC_INST_ICSWEPX 0x7c00076d
342 ++#define PPC_INST_DSSALL 0x7e00066c
343 + #define PPC_INST_ISEL 0x7c00001e
344 + #define PPC_INST_ISEL_MASK 0xfc00003e
345 + #define PPC_INST_LDARX 0x7c0000a8
346 +@@ -424,6 +425,7 @@
347 + __PPC_RA(a) | __PPC_RB(b))
348 + #define PPC_DCBZL(a, b) stringify_in_c(.long PPC_INST_DCBZL | \
349 + __PPC_RA(a) | __PPC_RB(b))
350 ++#define PPC_DSSALL stringify_in_c(.long PPC_INST_DSSALL)
351 + #define PPC_LQARX(t, a, b, eh) stringify_in_c(.long PPC_INST_LQARX | \
352 + ___PPC_RT(t) | ___PPC_RA(a) | \
353 + ___PPC_RB(b) | __PPC_EH(eh))
354 +diff --git a/arch/powerpc/include/asm/timex.h b/arch/powerpc/include/asm/timex.h
355 +index 926b9f91a3ef2..7401d6a684c55 100644
356 +--- a/arch/powerpc/include/asm/timex.h
357 ++++ b/arch/powerpc/include/asm/timex.h
358 +@@ -50,6 +50,7 @@ static inline cycles_t get_cycles(void)
359 + return ret;
360 + #endif
361 + }
362 ++#define get_cycles get_cycles
363 +
364 + #endif /* __KERNEL__ */
365 + #endif /* _ASM_POWERPC_TIMEX_H */
366 +diff --git a/arch/powerpc/kernel/idle_6xx.S b/arch/powerpc/kernel/idle_6xx.S
367 +index ff026c9d3cab4..75de66acc3d1b 100644
368 +--- a/arch/powerpc/kernel/idle_6xx.S
369 ++++ b/arch/powerpc/kernel/idle_6xx.S
370 +@@ -133,7 +133,7 @@ BEGIN_FTR_SECTION
371 + END_FTR_SECTION_IFCLR(CPU_FTR_NO_DPM)
372 + mtspr SPRN_HID0,r4
373 + BEGIN_FTR_SECTION
374 +- DSSALL
375 ++ PPC_DSSALL
376 + sync
377 + END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC)
378 + CURRENT_THREAD_INFO(r9, r1)
379 +diff --git a/arch/powerpc/kernel/l2cr_6xx.S b/arch/powerpc/kernel/l2cr_6xx.S
380 +index 6e7dbb7d527c8..9d4b42d115cdd 100644
381 +--- a/arch/powerpc/kernel/l2cr_6xx.S
382 ++++ b/arch/powerpc/kernel/l2cr_6xx.S
383 +@@ -108,7 +108,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_L2CR)
384 +
385 + /* Stop DST streams */
386 + BEGIN_FTR_SECTION
387 +- DSSALL
388 ++ PPC_DSSALL
389 + sync
390 + END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC)
391 +
392 +@@ -305,7 +305,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_L3CR)
393 + isync
394 +
395 + /* Stop DST streams */
396 +- DSSALL
397 ++ PPC_DSSALL
398 + sync
399 +
400 + /* Get the current enable bit of the L3CR into r4 */
401 +@@ -414,7 +414,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_L3CR)
402 + _GLOBAL(__flush_disable_L1)
403 + /* Stop pending alitvec streams and memory accesses */
404 + BEGIN_FTR_SECTION
405 +- DSSALL
406 ++ PPC_DSSALL
407 + END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC)
408 + sync
409 +
410 +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
411 +index 02b69a68139cc..56c33285b1dfd 100644
412 +--- a/arch/powerpc/kernel/process.c
413 ++++ b/arch/powerpc/kernel/process.c
414 +@@ -2017,12 +2017,12 @@ unsigned long get_wchan(struct task_struct *p)
415 + return 0;
416 +
417 + do {
418 +- sp = *(unsigned long *)sp;
419 ++ sp = READ_ONCE_NOCHECK(*(unsigned long *)sp);
420 + if (!validate_sp(sp, p, STACK_FRAME_OVERHEAD) ||
421 + p->state == TASK_RUNNING)
422 + return 0;
423 + if (count > 0) {
424 +- ip = ((unsigned long *)sp)[STACK_FRAME_LR_SAVE];
425 ++ ip = READ_ONCE_NOCHECK(((unsigned long *)sp)[STACK_FRAME_LR_SAVE]);
426 + if (!in_sched_functions(ip))
427 + return ip;
428 + }
429 +diff --git a/arch/powerpc/kernel/swsusp_32.S b/arch/powerpc/kernel/swsusp_32.S
430 +index cbdf86228eaaa..54c44aea338c4 100644
431 +--- a/arch/powerpc/kernel/swsusp_32.S
432 ++++ b/arch/powerpc/kernel/swsusp_32.S
433 +@@ -181,7 +181,7 @@ _GLOBAL(swsusp_arch_resume)
434 + #ifdef CONFIG_ALTIVEC
435 + /* Stop pending alitvec streams and memory accesses */
436 + BEGIN_FTR_SECTION
437 +- DSSALL
438 ++ PPC_DSSALL
439 + END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC)
440 + #endif
441 + sync
442 +diff --git a/arch/powerpc/kernel/swsusp_asm64.S b/arch/powerpc/kernel/swsusp_asm64.S
443 +index f83bf6f72cb0e..0af06f3dbb25a 100644
444 +--- a/arch/powerpc/kernel/swsusp_asm64.S
445 ++++ b/arch/powerpc/kernel/swsusp_asm64.S
446 +@@ -143,7 +143,7 @@ END_FW_FTR_SECTION_IFCLR(FW_FEATURE_LPAR)
447 + _GLOBAL(swsusp_arch_resume)
448 + /* Stop pending alitvec streams and memory accesses */
449 + BEGIN_FTR_SECTION
450 +- DSSALL
451 ++ PPC_DSSALL
452 + END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC)
453 + sync
454 +
455 +diff --git a/arch/powerpc/mm/mmu_context.c b/arch/powerpc/mm/mmu_context.c
456 +index f84e14f23e50a..78a638ccc70fc 100644
457 +--- a/arch/powerpc/mm/mmu_context.c
458 ++++ b/arch/powerpc/mm/mmu_context.c
459 +@@ -83,7 +83,7 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
460 + * context
461 + */
462 + if (cpu_has_feature(CPU_FTR_ALTIVEC))
463 +- asm volatile ("dssall");
464 ++ asm volatile (PPC_DSSALL);
465 +
466 + if (new_on_cpu)
467 + radix_kvm_prefetch_workaround(next);
468 +diff --git a/arch/powerpc/platforms/powermac/cache.S b/arch/powerpc/platforms/powermac/cache.S
469 +index 27862feee4a57..0dde4a7a60166 100644
470 +--- a/arch/powerpc/platforms/powermac/cache.S
471 ++++ b/arch/powerpc/platforms/powermac/cache.S
472 +@@ -53,7 +53,7 @@ flush_disable_75x:
473 +
474 + /* Stop DST streams */
475 + BEGIN_FTR_SECTION
476 +- DSSALL
477 ++ PPC_DSSALL
478 + sync
479 + END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC)
480 +
481 +@@ -201,7 +201,7 @@ flush_disable_745x:
482 + isync
483 +
484 + /* Stop prefetch streams */
485 +- DSSALL
486 ++ PPC_DSSALL
487 + sync
488 +
489 + /* Disable L2 prefetching */
490 +diff --git a/arch/riscv/include/asm/processor.h b/arch/riscv/include/asm/processor.h
491 +index c23578a37b443..fdcc34b4f65bc 100644
492 +--- a/arch/riscv/include/asm/processor.h
493 ++++ b/arch/riscv/include/asm/processor.h
494 +@@ -30,6 +30,8 @@
495 +
496 + #ifndef __ASSEMBLY__
497 +
498 ++#include <asm/barrier.h>
499 ++
500 + struct task_struct;
501 + struct pt_regs;
502 +
503 +diff --git a/arch/s390/include/asm/archrandom.h b/arch/s390/include/asm/archrandom.h
504 +index c67b82dfa558e..9a6835137a164 100644
505 +--- a/arch/s390/include/asm/archrandom.h
506 ++++ b/arch/s390/include/asm/archrandom.h
507 +@@ -21,18 +21,6 @@ extern atomic64_t s390_arch_random_counter;
508 +
509 + bool s390_arch_random_generate(u8 *buf, unsigned int nbytes);
510 +
511 +-static inline bool arch_has_random(void)
512 +-{
513 +- return false;
514 +-}
515 +-
516 +-static inline bool arch_has_random_seed(void)
517 +-{
518 +- if (static_branch_likely(&s390_arch_random_available))
519 +- return true;
520 +- return false;
521 +-}
522 +-
523 + static inline bool arch_get_random_long(unsigned long *v)
524 + {
525 + return false;
526 +diff --git a/arch/s390/include/asm/timex.h b/arch/s390/include/asm/timex.h
527 +index b6a4ce9dafafb..99a7e028232d8 100644
528 +--- a/arch/s390/include/asm/timex.h
529 ++++ b/arch/s390/include/asm/timex.h
530 +@@ -177,6 +177,7 @@ static inline cycles_t get_cycles(void)
531 + {
532 + return (cycles_t) get_tod_clock() >> 2;
533 + }
534 ++#define get_cycles get_cycles
535 +
536 + int get_phys_clock(unsigned long *clock);
537 + void init_cpu_timer(void);
538 +diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c
539 +index 4354ac6077503..9f39030898694 100644
540 +--- a/arch/s390/mm/pgtable.c
541 ++++ b/arch/s390/mm/pgtable.c
542 +@@ -716,7 +716,7 @@ void ptep_zap_key(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
543 + pgste_val(pgste) |= PGSTE_GR_BIT | PGSTE_GC_BIT;
544 + ptev = pte_val(*ptep);
545 + if (!(ptev & _PAGE_INVALID) && (ptev & _PAGE_WRITE))
546 +- page_set_storage_key(ptev & PAGE_MASK, PAGE_DEFAULT_KEY, 1);
547 ++ page_set_storage_key(ptev & PAGE_MASK, PAGE_DEFAULT_KEY, 0);
548 + pgste_set_unlock(ptep, pgste);
549 + preempt_enable();
550 + }
551 +diff --git a/arch/sparc/include/asm/timex_32.h b/arch/sparc/include/asm/timex_32.h
552 +index 542915b462097..f86326a6f89e0 100644
553 +--- a/arch/sparc/include/asm/timex_32.h
554 ++++ b/arch/sparc/include/asm/timex_32.h
555 +@@ -9,8 +9,6 @@
556 +
557 + #define CLOCK_TICK_RATE 1193180 /* Underlying HZ */
558 +
559 +-/* XXX Maybe do something better at some point... -DaveM */
560 +-typedef unsigned long cycles_t;
561 +-#define get_cycles() (0)
562 ++#include <asm-generic/timex.h>
563 +
564 + #endif
565 +diff --git a/arch/um/include/asm/timex.h b/arch/um/include/asm/timex.h
566 +index e392a9a5bc9bd..9f27176adb26d 100644
567 +--- a/arch/um/include/asm/timex.h
568 ++++ b/arch/um/include/asm/timex.h
569 +@@ -2,13 +2,8 @@
570 + #ifndef __UM_TIMEX_H
571 + #define __UM_TIMEX_H
572 +
573 +-typedef unsigned long cycles_t;
574 +-
575 +-static inline cycles_t get_cycles (void)
576 +-{
577 +- return 0;
578 +-}
579 +-
580 + #define CLOCK_TICK_RATE (HZ)
581 +
582 ++#include <asm-generic/timex.h>
583 ++
584 + #endif
585 +diff --git a/arch/x86/include/asm/archrandom.h b/arch/x86/include/asm/archrandom.h
586 +index 3ac991d81e74d..4d3cac3c9b250 100644
587 +--- a/arch/x86/include/asm/archrandom.h
588 ++++ b/arch/x86/include/asm/archrandom.h
589 +@@ -86,10 +86,6 @@ static inline bool rdseed_int(unsigned int *v)
590 + return ok;
591 + }
592 +
593 +-/* Conditional execution based on CPU type */
594 +-#define arch_has_random() static_cpu_has(X86_FEATURE_RDRAND)
595 +-#define arch_has_random_seed() static_cpu_has(X86_FEATURE_RDSEED)
596 +-
597 + /*
598 + * These are the generic interfaces; they must not be declared if the
599 + * stubs in <linux/random.h> are to be invoked,
600 +@@ -99,22 +95,22 @@ static inline bool rdseed_int(unsigned int *v)
601 +
602 + static inline bool arch_get_random_long(unsigned long *v)
603 + {
604 +- return arch_has_random() ? rdrand_long(v) : false;
605 ++ return static_cpu_has(X86_FEATURE_RDRAND) ? rdrand_long(v) : false;
606 + }
607 +
608 + static inline bool arch_get_random_int(unsigned int *v)
609 + {
610 +- return arch_has_random() ? rdrand_int(v) : false;
611 ++ return static_cpu_has(X86_FEATURE_RDRAND) ? rdrand_int(v) : false;
612 + }
613 +
614 + static inline bool arch_get_random_seed_long(unsigned long *v)
615 + {
616 +- return arch_has_random_seed() ? rdseed_long(v) : false;
617 ++ return static_cpu_has(X86_FEATURE_RDSEED) ? rdseed_long(v) : false;
618 + }
619 +
620 + static inline bool arch_get_random_seed_int(unsigned int *v)
621 + {
622 +- return arch_has_random_seed() ? rdseed_int(v) : false;
623 ++ return static_cpu_has(X86_FEATURE_RDSEED) ? rdseed_int(v) : false;
624 + }
625 +
626 + extern void x86_init_rdrand(struct cpuinfo_x86 *c);
627 +diff --git a/arch/x86/include/asm/timex.h b/arch/x86/include/asm/timex.h
628 +index a4a8b1b16c0c1..956e4145311b1 100644
629 +--- a/arch/x86/include/asm/timex.h
630 ++++ b/arch/x86/include/asm/timex.h
631 +@@ -5,6 +5,15 @@
632 + #include <asm/processor.h>
633 + #include <asm/tsc.h>
634 +
635 ++static inline unsigned long random_get_entropy(void)
636 ++{
637 ++ if (!IS_ENABLED(CONFIG_X86_TSC) &&
638 ++ !cpu_feature_enabled(X86_FEATURE_TSC))
639 ++ return random_get_entropy_fallback();
640 ++ return rdtsc();
641 ++}
642 ++#define random_get_entropy random_get_entropy
643 ++
644 + /* Assume we use the PIT time source for the clock tick */
645 + #define CLOCK_TICK_RATE PIT_TICK_RATE
646 +
647 +diff --git a/arch/x86/include/asm/tsc.h b/arch/x86/include/asm/tsc.h
648 +index eb5bbfeccb661..196cf01f58fdf 100644
649 +--- a/arch/x86/include/asm/tsc.h
650 ++++ b/arch/x86/include/asm/tsc.h
651 +@@ -22,13 +22,12 @@ extern void disable_TSC(void);
652 +
653 + static inline cycles_t get_cycles(void)
654 + {
655 +-#ifndef CONFIG_X86_TSC
656 +- if (!boot_cpu_has(X86_FEATURE_TSC))
657 ++ if (!IS_ENABLED(CONFIG_X86_TSC) &&
658 ++ !cpu_feature_enabled(X86_FEATURE_TSC))
659 + return 0;
660 +-#endif
661 +-
662 + return rdtsc();
663 + }
664 ++#define get_cycles get_cycles
665 +
666 + extern struct system_counterval_t convert_art_to_tsc(u64 art);
667 + extern struct system_counterval_t convert_art_ns_to_tsc(u64 art_ns);
668 +diff --git a/arch/xtensa/include/asm/timex.h b/arch/xtensa/include/asm/timex.h
669 +index f9b389d4e9739..d866bc847d8dc 100644
670 +--- a/arch/xtensa/include/asm/timex.h
671 ++++ b/arch/xtensa/include/asm/timex.h
672 +@@ -30,10 +30,6 @@
673 +
674 + extern unsigned long ccount_freq;
675 +
676 +-typedef unsigned long long cycles_t;
677 +-
678 +-#define get_cycles() (0)
679 +-
680 + void local_timer_setup(unsigned cpu);
681 +
682 + /*
683 +@@ -69,4 +65,6 @@ static inline void set_linux_timer (unsigned long ccompare)
684 + WSR_CCOMPARE(LINUX_TIMER, ccompare);
685 + }
686 +
687 ++#include <asm-generic/timex.h>
688 ++
689 + #endif /* _XTENSA_TIMEX_H */
690 +diff --git a/certs/blacklist_hashes.c b/certs/blacklist_hashes.c
691 +index 344892337be07..d5961aa3d3380 100644
692 +--- a/certs/blacklist_hashes.c
693 ++++ b/certs/blacklist_hashes.c
694 +@@ -1,7 +1,7 @@
695 + // SPDX-License-Identifier: GPL-2.0
696 + #include "blacklist.h"
697 +
698 +-const char __initdata *const blacklist_hashes[] = {
699 ++const char __initconst *const blacklist_hashes[] = {
700 + #include CONFIG_SYSTEM_BLACKLIST_HASH_LIST
701 + , NULL
702 + };
703 +diff --git a/crypto/drbg.c b/crypto/drbg.c
704 +index bc52d95626110..c8c56763dfded 100644
705 +--- a/crypto/drbg.c
706 ++++ b/crypto/drbg.c
707 +@@ -219,6 +219,57 @@ static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
708 + }
709 + }
710 +
711 ++/*
712 ++ * FIPS 140-2 continuous self test for the noise source
713 ++ * The test is performed on the noise source input data. Thus, the function
714 ++ * implicitly knows the size of the buffer to be equal to the security
715 ++ * strength.
716 ++ *
717 ++ * Note, this function disregards the nonce trailing the entropy data during
718 ++ * initial seeding.
719 ++ *
720 ++ * drbg->drbg_mutex must have been taken.
721 ++ *
722 ++ * @drbg DRBG handle
723 ++ * @entropy buffer of seed data to be checked
724 ++ *
725 ++ * return:
726 ++ * 0 on success
727 ++ * -EAGAIN on when the CTRNG is not yet primed
728 ++ * < 0 on error
729 ++ */
730 ++static int drbg_fips_continuous_test(struct drbg_state *drbg,
731 ++ const unsigned char *entropy)
732 ++{
733 ++ unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
734 ++ int ret = 0;
735 ++
736 ++ if (!IS_ENABLED(CONFIG_CRYPTO_FIPS))
737 ++ return 0;
738 ++
739 ++ /* skip test if we test the overall system */
740 ++ if (list_empty(&drbg->test_data.list))
741 ++ return 0;
742 ++ /* only perform test in FIPS mode */
743 ++ if (!fips_enabled)
744 ++ return 0;
745 ++
746 ++ if (!drbg->fips_primed) {
747 ++ /* Priming of FIPS test */
748 ++ memcpy(drbg->prev, entropy, entropylen);
749 ++ drbg->fips_primed = true;
750 ++ /* priming: another round is needed */
751 ++ return -EAGAIN;
752 ++ }
753 ++ ret = memcmp(drbg->prev, entropy, entropylen);
754 ++ if (!ret)
755 ++ panic("DRBG continuous self test failed\n");
756 ++ memcpy(drbg->prev, entropy, entropylen);
757 ++
758 ++ /* the test shall pass when the two values are not equal */
759 ++ return 0;
760 ++}
761 ++
762 + /*
763 + * Convert an integer into a byte representation of this integer.
764 + * The byte representation is big-endian
765 +@@ -984,55 +1035,79 @@ static const struct drbg_state_ops drbg_hash_ops = {
766 + ******************************************************************/
767 +
768 + static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
769 +- int reseed)
770 ++ int reseed, enum drbg_seed_state new_seed_state)
771 + {
772 + int ret = drbg->d_ops->update(drbg, seed, reseed);
773 +
774 + if (ret)
775 + return ret;
776 +
777 +- drbg->seeded = true;
778 ++ drbg->seeded = new_seed_state;
779 + /* 10.1.1.2 / 10.1.1.3 step 5 */
780 + drbg->reseed_ctr = 1;
781 +
782 ++ switch (drbg->seeded) {
783 ++ case DRBG_SEED_STATE_UNSEEDED:
784 ++ /* Impossible, but handle it to silence compiler warnings. */
785 ++ case DRBG_SEED_STATE_PARTIAL:
786 ++ /*
787 ++ * Require frequent reseeds until the seed source is
788 ++ * fully initialized.
789 ++ */
790 ++ drbg->reseed_threshold = 50;
791 ++ break;
792 ++
793 ++ case DRBG_SEED_STATE_FULL:
794 ++ /*
795 ++ * Seed source has become fully initialized, frequent
796 ++ * reseeds no longer required.
797 ++ */
798 ++ drbg->reseed_threshold = drbg_max_requests(drbg);
799 ++ break;
800 ++ }
801 ++
802 + return ret;
803 + }
804 +
805 +-static void drbg_async_seed(struct work_struct *work)
806 ++static inline int drbg_get_random_bytes(struct drbg_state *drbg,
807 ++ unsigned char *entropy,
808 ++ unsigned int entropylen)
809 ++{
810 ++ int ret;
811 ++
812 ++ do {
813 ++ get_random_bytes(entropy, entropylen);
814 ++ ret = drbg_fips_continuous_test(drbg, entropy);
815 ++ if (ret && ret != -EAGAIN)
816 ++ return ret;
817 ++ } while (ret);
818 ++
819 ++ return 0;
820 ++}
821 ++
822 ++static int drbg_seed_from_random(struct drbg_state *drbg)
823 + {
824 + struct drbg_string data;
825 + LIST_HEAD(seedlist);
826 +- struct drbg_state *drbg = container_of(work, struct drbg_state,
827 +- seed_work);
828 + unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
829 + unsigned char entropy[32];
830 ++ int ret;
831 +
832 + BUG_ON(!entropylen);
833 + BUG_ON(entropylen > sizeof(entropy));
834 +- get_random_bytes(entropy, entropylen);
835 +
836 + drbg_string_fill(&data, entropy, entropylen);
837 + list_add_tail(&data.list, &seedlist);
838 +
839 +- mutex_lock(&drbg->drbg_mutex);
840 +-
841 +- /* If nonblocking pool is initialized, deactivate Jitter RNG */
842 +- crypto_free_rng(drbg->jent);
843 +- drbg->jent = NULL;
844 +-
845 +- /* Set seeded to false so that if __drbg_seed fails the
846 +- * next generate call will trigger a reseed.
847 +- */
848 +- drbg->seeded = false;
849 +-
850 +- __drbg_seed(drbg, &seedlist, true);
851 +-
852 +- if (drbg->seeded)
853 +- drbg->reseed_threshold = drbg_max_requests(drbg);
854 ++ ret = drbg_get_random_bytes(drbg, entropy, entropylen);
855 ++ if (ret)
856 ++ goto out;
857 +
858 +- mutex_unlock(&drbg->drbg_mutex);
859 ++ ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
860 +
861 ++out:
862 + memzero_explicit(entropy, entropylen);
863 ++ return ret;
864 + }
865 +
866 + /*
867 +@@ -1054,6 +1129,7 @@ static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
868 + unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
869 + struct drbg_string data1;
870 + LIST_HEAD(seedlist);
871 ++ enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL;
872 +
873 + /* 9.1 / 9.2 / 9.3.1 step 3 */
874 + if (pers && pers->len > (drbg_max_addtl(drbg))) {
875 +@@ -1081,7 +1157,12 @@ static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
876 + BUG_ON((entropylen * 2) > sizeof(entropy));
877 +
878 + /* Get seed from in-kernel /dev/urandom */
879 +- get_random_bytes(entropy, entropylen);
880 ++ if (!rng_is_initialized())
881 ++ new_seed_state = DRBG_SEED_STATE_PARTIAL;
882 ++
883 ++ ret = drbg_get_random_bytes(drbg, entropy, entropylen);
884 ++ if (ret)
885 ++ goto out;
886 +
887 + if (!drbg->jent) {
888 + drbg_string_fill(&data1, entropy, entropylen);
889 +@@ -1094,7 +1175,23 @@ static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
890 + entropylen);
891 + if (ret) {
892 + pr_devel("DRBG: jent failed with %d\n", ret);
893 +- return ret;
894 ++
895 ++ /*
896 ++ * Do not treat the transient failure of the
897 ++ * Jitter RNG as an error that needs to be
898 ++ * reported. The combined number of the
899 ++ * maximum reseed threshold times the maximum
900 ++ * number of Jitter RNG transient errors is
901 ++ * less than the reseed threshold required by
902 ++ * SP800-90A allowing us to treat the
903 ++ * transient errors as such.
904 ++ *
905 ++ * However, we mandate that at least the first
906 ++ * seeding operation must succeed with the
907 ++ * Jitter RNG.
908 ++ */
909 ++ if (!reseed || ret != -EAGAIN)
910 ++ goto out;
911 + }
912 +
913 + drbg_string_fill(&data1, entropy, entropylen * 2);
914 +@@ -1119,8 +1216,9 @@ static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
915 + memset(drbg->C, 0, drbg_statelen(drbg));
916 + }
917 +
918 +- ret = __drbg_seed(drbg, &seedlist, reseed);
919 ++ ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state);
920 +
921 ++out:
922 + memzero_explicit(entropy, entropylen * 2);
923 +
924 + return ret;
925 +@@ -1142,6 +1240,11 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
926 + drbg->reseed_ctr = 0;
927 + drbg->d_ops = NULL;
928 + drbg->core = NULL;
929 ++ if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
930 ++ kzfree(drbg->prev);
931 ++ drbg->prev = NULL;
932 ++ drbg->fips_primed = false;
933 ++ }
934 + }
935 +
936 + /*
937 +@@ -1211,6 +1314,14 @@ static inline int drbg_alloc_state(struct drbg_state *drbg)
938 + drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
939 + }
940 +
941 ++ if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
942 ++ drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
943 ++ GFP_KERNEL);
944 ++ if (!drbg->prev)
945 ++ goto fini;
946 ++ drbg->fips_primed = false;
947 ++ }
948 ++
949 + return 0;
950 +
951 + fini:
952 +@@ -1283,19 +1394,25 @@ static int drbg_generate(struct drbg_state *drbg,
953 + * here. The spec is a bit convoluted here, we make it simpler.
954 + */
955 + if (drbg->reseed_threshold < drbg->reseed_ctr)
956 +- drbg->seeded = false;
957 ++ drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
958 +
959 +- if (drbg->pr || !drbg->seeded) {
960 ++ if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) {
961 + pr_devel("DRBG: reseeding before generation (prediction "
962 + "resistance: %s, state %s)\n",
963 + drbg->pr ? "true" : "false",
964 +- drbg->seeded ? "seeded" : "unseeded");
965 ++ (drbg->seeded == DRBG_SEED_STATE_FULL ?
966 ++ "seeded" : "unseeded"));
967 + /* 9.3.1 steps 7.1 through 7.3 */
968 + len = drbg_seed(drbg, addtl, true);
969 + if (len)
970 + goto err;
971 + /* 9.3.1 step 7.4 */
972 + addtl = NULL;
973 ++ } else if (rng_is_initialized() &&
974 ++ drbg->seeded == DRBG_SEED_STATE_PARTIAL) {
975 ++ len = drbg_seed_from_random(drbg);
976 ++ if (len)
977 ++ goto err;
978 + }
979 +
980 + if (addtl && 0 < addtl->len)
981 +@@ -1388,51 +1505,15 @@ static int drbg_generate_long(struct drbg_state *drbg,
982 + return 0;
983 + }
984 +
985 +-static void drbg_schedule_async_seed(struct random_ready_callback *rdy)
986 +-{
987 +- struct drbg_state *drbg = container_of(rdy, struct drbg_state,
988 +- random_ready);
989 +-
990 +- schedule_work(&drbg->seed_work);
991 +-}
992 +-
993 + static int drbg_prepare_hrng(struct drbg_state *drbg)
994 + {
995 +- int err;
996 +-
997 + /* We do not need an HRNG in test mode. */
998 + if (list_empty(&drbg->test_data.list))
999 + return 0;
1000 +
1001 +- INIT_WORK(&drbg->seed_work, drbg_async_seed);
1002 +-
1003 +- drbg->random_ready.owner = THIS_MODULE;
1004 +- drbg->random_ready.func = drbg_schedule_async_seed;
1005 +-
1006 +- err = add_random_ready_callback(&drbg->random_ready);
1007 +-
1008 +- switch (err) {
1009 +- case 0:
1010 +- break;
1011 +-
1012 +- case -EALREADY:
1013 +- err = 0;
1014 +- /* fall through */
1015 +-
1016 +- default:
1017 +- drbg->random_ready.func = NULL;
1018 +- return err;
1019 +- }
1020 +-
1021 + drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1022 +
1023 +- /*
1024 +- * Require frequent reseeds until the seed source is fully
1025 +- * initialized.
1026 +- */
1027 +- drbg->reseed_threshold = 50;
1028 +-
1029 +- return err;
1030 ++ return 0;
1031 + }
1032 +
1033 + /*
1034 +@@ -1475,7 +1556,7 @@ static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1035 + if (!drbg->core) {
1036 + drbg->core = &drbg_cores[coreref];
1037 + drbg->pr = pr;
1038 +- drbg->seeded = false;
1039 ++ drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1040 + drbg->reseed_threshold = drbg_max_requests(drbg);
1041 +
1042 + ret = drbg_alloc_state(drbg);
1043 +@@ -1526,12 +1607,9 @@ free_everything:
1044 + */
1045 + static int drbg_uninstantiate(struct drbg_state *drbg)
1046 + {
1047 +- if (drbg->random_ready.func) {
1048 +- del_random_ready_callback(&drbg->random_ready);
1049 +- cancel_work_sync(&drbg->seed_work);
1050 ++ if (!IS_ERR_OR_NULL(drbg->jent))
1051 + crypto_free_rng(drbg->jent);
1052 +- drbg->jent = NULL;
1053 +- }
1054 ++ drbg->jent = NULL;
1055 +
1056 + if (drbg->d_ops)
1057 + drbg->d_ops->crypto_fini(drbg);
1058 +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
1059 +index 0c10d95577542..b0dea0702c748 100644
1060 +--- a/drivers/ata/libata-core.c
1061 ++++ b/drivers/ata/libata-core.c
1062 +@@ -6253,7 +6253,7 @@ struct ata_host *ata_host_alloc_pinfo(struct device *dev,
1063 + const struct ata_port_info * const * ppi,
1064 + int n_ports)
1065 + {
1066 +- const struct ata_port_info *pi;
1067 ++ const struct ata_port_info *pi = &ata_dummy_port_info;
1068 + struct ata_host *host;
1069 + int i, j;
1070 +
1071 +@@ -6261,7 +6261,7 @@ struct ata_host *ata_host_alloc_pinfo(struct device *dev,
1072 + if (!host)
1073 + return NULL;
1074 +
1075 +- for (i = 0, j = 0, pi = NULL; i < host->n_ports; i++) {
1076 ++ for (i = 0, j = 0; i < host->n_ports; i++) {
1077 + struct ata_port *ap = host->ports[i];
1078 +
1079 + if (ppi[j])
1080 +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
1081 +index 1df9cb8e659e2..f55c9bbd58fba 100644
1082 +--- a/drivers/char/Kconfig
1083 ++++ b/drivers/char/Kconfig
1084 +@@ -552,19 +552,41 @@ config ADI
1085 + and SSM (Silicon Secured Memory). Intended consumers of this
1086 + driver include crash and makedumpfile.
1087 +
1088 +-endmenu
1089 +-
1090 + config RANDOM_TRUST_CPU
1091 +- bool "Trust the CPU manufacturer to initialize Linux's CRNG"
1092 +- depends on X86 || S390 || PPC
1093 +- default n
1094 ++ bool "Initialize RNG using CPU RNG instructions"
1095 ++ default y
1096 ++ depends on ARCH_RANDOM
1097 + help
1098 +- Assume that CPU manufacturer (e.g., Intel or AMD for RDSEED or
1099 +- RDRAND, IBM for the S390 and Power PC architectures) is trustworthy
1100 +- for the purposes of initializing Linux's CRNG. Since this is not
1101 +- something that can be independently audited, this amounts to trusting
1102 +- that CPU manufacturer (perhaps with the insistence or mandate
1103 +- of a Nation State's intelligence or law enforcement agencies)
1104 +- has not installed a hidden back door to compromise the CPU's
1105 +- random number generation facilities. This can also be configured
1106 +- at boot with "random.trust_cpu=on/off".
1107 ++ Initialize the RNG using random numbers supplied by the CPU's
1108 ++ RNG instructions (e.g. RDRAND), if supported and available. These
1109 ++ random numbers are never used directly, but are rather hashed into
1110 ++ the main input pool, and this happens regardless of whether or not
1111 ++ this option is enabled. Instead, this option controls whether the
1112 ++ they are credited and hence can initialize the RNG. Additionally,
1113 ++ other sources of randomness are always used, regardless of this
1114 ++ setting. Enabling this implies trusting that the CPU can supply high
1115 ++ quality and non-backdoored random numbers.
1116 ++
1117 ++ Say Y here unless you have reason to mistrust your CPU or believe
1118 ++ its RNG facilities may be faulty. This may also be configured at
1119 ++ boot time with "random.trust_cpu=on/off".
1120 ++
1121 ++config RANDOM_TRUST_BOOTLOADER
1122 ++ bool "Initialize RNG using bootloader-supplied seed"
1123 ++ default y
1124 ++ help
1125 ++ Initialize the RNG using a seed supplied by the bootloader or boot
1126 ++ environment (e.g. EFI or a bootloader-generated device tree). This
1127 ++ seed is not used directly, but is rather hashed into the main input
1128 ++ pool, and this happens regardless of whether or not this option is
1129 ++ enabled. Instead, this option controls whether the seed is credited
1130 ++ and hence can initialize the RNG. Additionally, other sources of
1131 ++ randomness are always used, regardless of this setting. Enabling
1132 ++ this implies trusting that the bootloader can supply high quality and
1133 ++ non-backdoored seeds.
1134 ++
1135 ++ Say Y here unless you have reason to mistrust your bootloader or
1136 ++ believe its RNG facilities may be faulty. This may also be configured
1137 ++ at boot time with "random.trust_bootloader=on/off".
1138 ++
1139 ++endmenu
1140 +diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c
1141 +index 0ef7cb0448e86..c9757fa2d3081 100644
1142 +--- a/drivers/char/hw_random/core.c
1143 ++++ b/drivers/char/hw_random/core.c
1144 +@@ -15,6 +15,7 @@
1145 + #include <linux/err.h>
1146 + #include <linux/fs.h>
1147 + #include <linux/hw_random.h>
1148 ++#include <linux/random.h>
1149 + #include <linux/kernel.h>
1150 + #include <linux/kthread.h>
1151 + #include <linux/sched/signal.h>
1152 +diff --git a/drivers/char/random.c b/drivers/char/random.c
1153 +index 1127343781465..55b23104fe33d 100644
1154 +--- a/drivers/char/random.c
1155 ++++ b/drivers/char/random.c
1156 +@@ -1,242 +1,29 @@
1157 ++// SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
1158 + /*
1159 +- * random.c -- A strong random number generator
1160 +- *
1161 +- * Copyright (C) 2017 Jason A. Donenfeld <Jason@×××××.com>. All
1162 +- * Rights Reserved.
1163 +- *
1164 ++ * Copyright (C) 2017-2022 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
1165 + * Copyright Matt Mackall <mpm@×××××××.com>, 2003, 2004, 2005
1166 +- *
1167 +- * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. All
1168 +- * rights reserved.
1169 +- *
1170 +- * Redistribution and use in source and binary forms, with or without
1171 +- * modification, are permitted provided that the following conditions
1172 +- * are met:
1173 +- * 1. Redistributions of source code must retain the above copyright
1174 +- * notice, and the entire permission notice in its entirety,
1175 +- * including the disclaimer of warranties.
1176 +- * 2. Redistributions in binary form must reproduce the above copyright
1177 +- * notice, this list of conditions and the following disclaimer in the
1178 +- * documentation and/or other materials provided with the distribution.
1179 +- * 3. The name of the author may not be used to endorse or promote
1180 +- * products derived from this software without specific prior
1181 +- * written permission.
1182 +- *
1183 +- * ALTERNATIVELY, this product may be distributed under the terms of
1184 +- * the GNU General Public License, in which case the provisions of the GPL are
1185 +- * required INSTEAD OF the above restrictions. (This clause is
1186 +- * necessary due to a potential bad interaction between the GPL and
1187 +- * the restrictions contained in a BSD-style copyright.)
1188 +- *
1189 +- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
1190 +- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1191 +- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
1192 +- * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
1193 +- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
1194 +- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
1195 +- * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
1196 +- * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
1197 +- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1198 +- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
1199 +- * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
1200 +- * DAMAGE.
1201 ++ * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. All rights reserved.
1202 ++ *
1203 ++ * This driver produces cryptographically secure pseudorandom data. It is divided
1204 ++ * into roughly six sections, each with a section header:
1205 ++ *
1206 ++ * - Initialization and readiness waiting.
1207 ++ * - Fast key erasure RNG, the "crng".
1208 ++ * - Entropy accumulation and extraction routines.
1209 ++ * - Entropy collection routines.
1210 ++ * - Userspace reader/writer interfaces.
1211 ++ * - Sysctl interface.
1212 ++ *
1213 ++ * The high level overview is that there is one input pool, into which
1214 ++ * various pieces of data are hashed. Prior to initialization, some of that
1215 ++ * data is then "credited" as having a certain number of bits of entropy.
1216 ++ * When enough bits of entropy are available, the hash is finalized and
1217 ++ * handed as a key to a stream cipher that expands it indefinitely for
1218 ++ * various consumers. This key is periodically refreshed as the various
1219 ++ * entropy collectors, described below, add data to the input pool.
1220 + */
1221 +
1222 +-/*
1223 +- * (now, with legal B.S. out of the way.....)
1224 +- *
1225 +- * This routine gathers environmental noise from device drivers, etc.,
1226 +- * and returns good random numbers, suitable for cryptographic use.
1227 +- * Besides the obvious cryptographic uses, these numbers are also good
1228 +- * for seeding TCP sequence numbers, and other places where it is
1229 +- * desirable to have numbers which are not only random, but hard to
1230 +- * predict by an attacker.
1231 +- *
1232 +- * Theory of operation
1233 +- * ===================
1234 +- *
1235 +- * Computers are very predictable devices. Hence it is extremely hard
1236 +- * to produce truly random numbers on a computer --- as opposed to
1237 +- * pseudo-random numbers, which can easily generated by using a
1238 +- * algorithm. Unfortunately, it is very easy for attackers to guess
1239 +- * the sequence of pseudo-random number generators, and for some
1240 +- * applications this is not acceptable. So instead, we must try to
1241 +- * gather "environmental noise" from the computer's environment, which
1242 +- * must be hard for outside attackers to observe, and use that to
1243 +- * generate random numbers. In a Unix environment, this is best done
1244 +- * from inside the kernel.
1245 +- *
1246 +- * Sources of randomness from the environment include inter-keyboard
1247 +- * timings, inter-interrupt timings from some interrupts, and other
1248 +- * events which are both (a) non-deterministic and (b) hard for an
1249 +- * outside observer to measure. Randomness from these sources are
1250 +- * added to an "entropy pool", which is mixed using a CRC-like function.
1251 +- * This is not cryptographically strong, but it is adequate assuming
1252 +- * the randomness is not chosen maliciously, and it is fast enough that
1253 +- * the overhead of doing it on every interrupt is very reasonable.
1254 +- * As random bytes are mixed into the entropy pool, the routines keep
1255 +- * an *estimate* of how many bits of randomness have been stored into
1256 +- * the random number generator's internal state.
1257 +- *
1258 +- * When random bytes are desired, they are obtained by taking the SHA
1259 +- * hash of the contents of the "entropy pool". The SHA hash avoids
1260 +- * exposing the internal state of the entropy pool. It is believed to
1261 +- * be computationally infeasible to derive any useful information
1262 +- * about the input of SHA from its output. Even if it is possible to
1263 +- * analyze SHA in some clever way, as long as the amount of data
1264 +- * returned from the generator is less than the inherent entropy in
1265 +- * the pool, the output data is totally unpredictable. For this
1266 +- * reason, the routine decreases its internal estimate of how many
1267 +- * bits of "true randomness" are contained in the entropy pool as it
1268 +- * outputs random numbers.
1269 +- *
1270 +- * If this estimate goes to zero, the routine can still generate
1271 +- * random numbers; however, an attacker may (at least in theory) be
1272 +- * able to infer the future output of the generator from prior
1273 +- * outputs. This requires successful cryptanalysis of SHA, which is
1274 +- * not believed to be feasible, but there is a remote possibility.
1275 +- * Nonetheless, these numbers should be useful for the vast majority
1276 +- * of purposes.
1277 +- *
1278 +- * Exported interfaces ---- output
1279 +- * ===============================
1280 +- *
1281 +- * There are three exported interfaces; the first is one designed to
1282 +- * be used from within the kernel:
1283 +- *
1284 +- * void get_random_bytes(void *buf, int nbytes);
1285 +- *
1286 +- * This interface will return the requested number of random bytes,
1287 +- * and place it in the requested buffer.
1288 +- *
1289 +- * The two other interfaces are two character devices /dev/random and
1290 +- * /dev/urandom. /dev/random is suitable for use when very high
1291 +- * quality randomness is desired (for example, for key generation or
1292 +- * one-time pads), as it will only return a maximum of the number of
1293 +- * bits of randomness (as estimated by the random number generator)
1294 +- * contained in the entropy pool.
1295 +- *
1296 +- * The /dev/urandom device does not have this limit, and will return
1297 +- * as many bytes as are requested. As more and more random bytes are
1298 +- * requested without giving time for the entropy pool to recharge,
1299 +- * this will result in random numbers that are merely cryptographically
1300 +- * strong. For many applications, however, this is acceptable.
1301 +- *
1302 +- * Exported interfaces ---- input
1303 +- * ==============================
1304 +- *
1305 +- * The current exported interfaces for gathering environmental noise
1306 +- * from the devices are:
1307 +- *
1308 +- * void add_device_randomness(const void *buf, unsigned int size);
1309 +- * void add_input_randomness(unsigned int type, unsigned int code,
1310 +- * unsigned int value);
1311 +- * void add_interrupt_randomness(int irq, int irq_flags);
1312 +- * void add_disk_randomness(struct gendisk *disk);
1313 +- *
1314 +- * add_device_randomness() is for adding data to the random pool that
1315 +- * is likely to differ between two devices (or possibly even per boot).
1316 +- * This would be things like MAC addresses or serial numbers, or the
1317 +- * read-out of the RTC. This does *not* add any actual entropy to the
1318 +- * pool, but it initializes the pool to different values for devices
1319 +- * that might otherwise be identical and have very little entropy
1320 +- * available to them (particularly common in the embedded world).
1321 +- *
1322 +- * add_input_randomness() uses the input layer interrupt timing, as well as
1323 +- * the event type information from the hardware.
1324 +- *
1325 +- * add_interrupt_randomness() uses the interrupt timing as random
1326 +- * inputs to the entropy pool. Using the cycle counters and the irq source
1327 +- * as inputs, it feeds the randomness roughly once a second.
1328 +- *
1329 +- * add_disk_randomness() uses what amounts to the seek time of block
1330 +- * layer request events, on a per-disk_devt basis, as input to the
1331 +- * entropy pool. Note that high-speed solid state drives with very low
1332 +- * seek times do not make for good sources of entropy, as their seek
1333 +- * times are usually fairly consistent.
1334 +- *
1335 +- * All of these routines try to estimate how many bits of randomness a
1336 +- * particular randomness source. They do this by keeping track of the
1337 +- * first and second order deltas of the event timings.
1338 +- *
1339 +- * Ensuring unpredictability at system startup
1340 +- * ============================================
1341 +- *
1342 +- * When any operating system starts up, it will go through a sequence
1343 +- * of actions that are fairly predictable by an adversary, especially
1344 +- * if the start-up does not involve interaction with a human operator.
1345 +- * This reduces the actual number of bits of unpredictability in the
1346 +- * entropy pool below the value in entropy_count. In order to
1347 +- * counteract this effect, it helps to carry information in the
1348 +- * entropy pool across shut-downs and start-ups. To do this, put the
1349 +- * following lines an appropriate script which is run during the boot
1350 +- * sequence:
1351 +- *
1352 +- * echo "Initializing random number generator..."
1353 +- * random_seed=/var/run/random-seed
1354 +- * # Carry a random seed from start-up to start-up
1355 +- * # Load and then save the whole entropy pool
1356 +- * if [ -f $random_seed ]; then
1357 +- * cat $random_seed >/dev/urandom
1358 +- * else
1359 +- * touch $random_seed
1360 +- * fi
1361 +- * chmod 600 $random_seed
1362 +- * dd if=/dev/urandom of=$random_seed count=1 bs=512
1363 +- *
1364 +- * and the following lines in an appropriate script which is run as
1365 +- * the system is shutdown:
1366 +- *
1367 +- * # Carry a random seed from shut-down to start-up
1368 +- * # Save the whole entropy pool
1369 +- * echo "Saving random seed..."
1370 +- * random_seed=/var/run/random-seed
1371 +- * touch $random_seed
1372 +- * chmod 600 $random_seed
1373 +- * dd if=/dev/urandom of=$random_seed count=1 bs=512
1374 +- *
1375 +- * For example, on most modern systems using the System V init
1376 +- * scripts, such code fragments would be found in
1377 +- * /etc/rc.d/init.d/random. On older Linux systems, the correct script
1378 +- * location might be in /etc/rcb.d/rc.local or /etc/rc.d/rc.0.
1379 +- *
1380 +- * Effectively, these commands cause the contents of the entropy pool
1381 +- * to be saved at shut-down time and reloaded into the entropy pool at
1382 +- * start-up. (The 'dd' in the addition to the bootup script is to
1383 +- * make sure that /etc/random-seed is different for every start-up,
1384 +- * even if the system crashes without executing rc.0.) Even with
1385 +- * complete knowledge of the start-up activities, predicting the state
1386 +- * of the entropy pool requires knowledge of the previous history of
1387 +- * the system.
1388 +- *
1389 +- * Configuring the /dev/random driver under Linux
1390 +- * ==============================================
1391 +- *
1392 +- * The /dev/random driver under Linux uses minor numbers 8 and 9 of
1393 +- * the /dev/mem major number (#1). So if your system does not have
1394 +- * /dev/random and /dev/urandom created already, they can be created
1395 +- * by using the commands:
1396 +- *
1397 +- * mknod /dev/random c 1 8
1398 +- * mknod /dev/urandom c 1 9
1399 +- *
1400 +- * Acknowledgements:
1401 +- * =================
1402 +- *
1403 +- * Ideas for constructing this random number generator were derived
1404 +- * from Pretty Good Privacy's random number generator, and from private
1405 +- * discussions with Phil Karn. Colin Plumb provided a faster random
1406 +- * number generator, which speed up the mixing function of the entropy
1407 +- * pool, taken from PGPfone. Dale Worley has also contributed many
1408 +- * useful ideas and suggestions to improve this driver.
1409 +- *
1410 +- * Any flaws in the design are solely my responsibility, and should
1411 +- * not be attributed to the Phil, Colin, or any of authors of PGP.
1412 +- *
1413 +- * Further background information on this topic may be obtained from
1414 +- * RFC 1750, "Randomness Recommendations for Security", by Donald
1415 +- * Eastlake, Steve Crocker, and Jeff Schiller.
1416 +- */
1417 ++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
1418 +
1419 + #include <linux/utsname.h>
1420 + #include <linux/module.h>
1421 +@@ -256,8 +43,6 @@
1422 + #include <linux/spinlock.h>
1423 + #include <linux/kthread.h>
1424 + #include <linux/percpu.h>
1425 +-#include <linux/cryptohash.h>
1426 +-#include <linux/fips.h>
1427 + #include <linux/ptrace.h>
1428 + #include <linux/workqueue.h>
1429 + #include <linux/irq.h>
1430 +@@ -265,1636 +50,1067 @@
1431 + #include <linux/syscalls.h>
1432 + #include <linux/completion.h>
1433 + #include <linux/uuid.h>
1434 ++#include <linux/uaccess.h>
1435 ++#include <linux/siphash.h>
1436 ++#include <linux/uio.h>
1437 + #include <crypto/chacha20.h>
1438 +-
1439 ++#include <crypto/blake2s.h>
1440 + #include <asm/processor.h>
1441 +-#include <linux/uaccess.h>
1442 + #include <asm/irq.h>
1443 + #include <asm/irq_regs.h>
1444 + #include <asm/io.h>
1445 +
1446 +-#define CREATE_TRACE_POINTS
1447 +-#include <trace/events/random.h>
1448 +-
1449 +-/* #define ADD_INTERRUPT_BENCH */
1450 ++/*********************************************************************
1451 ++ *
1452 ++ * Initialization and readiness waiting.
1453 ++ *
1454 ++ * Much of the RNG infrastructure is devoted to various dependencies
1455 ++ * being able to wait until the RNG has collected enough entropy and
1456 ++ * is ready for safe consumption.
1457 ++ *
1458 ++ *********************************************************************/
1459 +
1460 + /*
1461 +- * Configuration information
1462 ++ * crng_init is protected by base_crng->lock, and only increases
1463 ++ * its value (from empty->early->ready).
1464 + */
1465 +-#define INPUT_POOL_SHIFT 12
1466 +-#define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5))
1467 +-#define OUTPUT_POOL_SHIFT 10
1468 +-#define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5))
1469 +-#define SEC_XFER_SIZE 512
1470 +-#define EXTRACT_SIZE 10
1471 +-
1472 ++static enum {
1473 ++ CRNG_EMPTY = 0, /* Little to no entropy collected */
1474 ++ CRNG_EARLY = 1, /* At least POOL_EARLY_BITS collected */
1475 ++ CRNG_READY = 2 /* Fully initialized with POOL_READY_BITS collected */
1476 ++} crng_init __read_mostly = CRNG_EMPTY;
1477 ++#define crng_ready() (likely(crng_init >= CRNG_READY))
1478 ++/* Various types of waiters for crng_init->CRNG_READY transition. */
1479 ++static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
1480 ++static struct fasync_struct *fasync;
1481 ++static DEFINE_SPINLOCK(random_ready_chain_lock);
1482 ++static RAW_NOTIFIER_HEAD(random_ready_chain);
1483 +
1484 +-#define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long))
1485 ++/* Control how we warn userspace. */
1486 ++static struct ratelimit_state urandom_warning =
1487 ++ RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3);
1488 ++static int ratelimit_disable __read_mostly =
1489 ++ IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM);
1490 ++module_param_named(ratelimit_disable, ratelimit_disable, int, 0644);
1491 ++MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression");
1492 +
1493 + /*
1494 +- * To allow fractional bits to be tracked, the entropy_count field is
1495 +- * denominated in units of 1/8th bits.
1496 ++ * Returns whether or not the input pool has been seeded and thus guaranteed
1497 ++ * to supply cryptographically secure random numbers. This applies to: the
1498 ++ * /dev/urandom device, the get_random_bytes function, and the get_random_{u32,
1499 ++ * ,u64,int,long} family of functions.
1500 + *
1501 +- * 2*(ENTROPY_SHIFT + log2(poolbits)) must <= 31, or the multiply in
1502 +- * credit_entropy_bits() needs to be 64 bits wide.
1503 ++ * Returns: true if the input pool has been seeded.
1504 ++ * false if the input pool has not been seeded.
1505 + */
1506 +-#define ENTROPY_SHIFT 3
1507 +-#define ENTROPY_BITS(r) ((r)->entropy_count >> ENTROPY_SHIFT)
1508 ++bool rng_is_initialized(void)
1509 ++{
1510 ++ return crng_ready();
1511 ++}
1512 ++EXPORT_SYMBOL(rng_is_initialized);
1513 +
1514 +-/*
1515 +- * The minimum number of bits of entropy before we wake up a read on
1516 +- * /dev/random. Should be enough to do a significant reseed.
1517 +- */
1518 +-static int random_read_wakeup_bits = 64;
1519 ++/* Used by wait_for_random_bytes(), and considered an entropy collector, below. */
1520 ++static void try_to_generate_entropy(void);
1521 +
1522 + /*
1523 +- * If the entropy count falls under this number of bits, then we
1524 +- * should wake up processes which are selecting or polling on write
1525 +- * access to /dev/random.
1526 ++ * Wait for the input pool to be seeded and thus guaranteed to supply
1527 ++ * cryptographically secure random numbers. This applies to: the /dev/urandom
1528 ++ * device, the get_random_bytes function, and the get_random_{u32,u64,int,long}
1529 ++ * family of functions. Using any of these functions without first calling
1530 ++ * this function forfeits the guarantee of security.
1531 ++ *
1532 ++ * Returns: 0 if the input pool has been seeded.
1533 ++ * -ERESTARTSYS if the function was interrupted by a signal.
1534 + */
1535 +-static int random_write_wakeup_bits = 28 * OUTPUT_POOL_WORDS;
1536 ++int wait_for_random_bytes(void)
1537 ++{
1538 ++ while (!crng_ready()) {
1539 ++ int ret;
1540 ++
1541 ++ try_to_generate_entropy();
1542 ++ ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ);
1543 ++ if (ret)
1544 ++ return ret > 0 ? 0 : ret;
1545 ++ }
1546 ++ return 0;
1547 ++}
1548 ++EXPORT_SYMBOL(wait_for_random_bytes);
1549 +
1550 + /*
1551 +- * Originally, we used a primitive polynomial of degree .poolwords
1552 +- * over GF(2). The taps for various sizes are defined below. They
1553 +- * were chosen to be evenly spaced except for the last tap, which is 1
1554 +- * to get the twisting happening as fast as possible.
1555 +- *
1556 +- * For the purposes of better mixing, we use the CRC-32 polynomial as
1557 +- * well to make a (modified) twisted Generalized Feedback Shift
1558 +- * Register. (See M. Matsumoto & Y. Kurita, 1992. Twisted GFSR
1559 +- * generators. ACM Transactions on Modeling and Computer Simulation
1560 +- * 2(3):179-194. Also see M. Matsumoto & Y. Kurita, 1994. Twisted
1561 +- * GFSR generators II. ACM Transactions on Modeling and Computer
1562 +- * Simulation 4:254-266)
1563 +- *
1564 +- * Thanks to Colin Plumb for suggesting this.
1565 +- *
1566 +- * The mixing operation is much less sensitive than the output hash,
1567 +- * where we use SHA-1. All that we want of mixing operation is that
1568 +- * it be a good non-cryptographic hash; i.e. it not produce collisions
1569 +- * when fed "random" data of the sort we expect to see. As long as
1570 +- * the pool state differs for different inputs, we have preserved the
1571 +- * input entropy and done a good job. The fact that an intelligent
1572 +- * attacker can construct inputs that will produce controlled
1573 +- * alterations to the pool's state is not important because we don't
1574 +- * consider such inputs to contribute any randomness. The only
1575 +- * property we need with respect to them is that the attacker can't
1576 +- * increase his/her knowledge of the pool's state. Since all
1577 +- * additions are reversible (knowing the final state and the input,
1578 +- * you can reconstruct the initial state), if an attacker has any
1579 +- * uncertainty about the initial state, he/she can only shuffle that
1580 +- * uncertainty about, but never cause any collisions (which would
1581 +- * decrease the uncertainty).
1582 ++ * Add a callback function that will be invoked when the input
1583 ++ * pool is initialised.
1584 + *
1585 +- * Our mixing functions were analyzed by Lacharme, Roeck, Strubel, and
1586 +- * Videau in their paper, "The Linux Pseudorandom Number Generator
1587 +- * Revisited" (see: http://eprint.iacr.org/2012/251.pdf). In their
1588 +- * paper, they point out that we are not using a true Twisted GFSR,
1589 +- * since Matsumoto & Kurita used a trinomial feedback polynomial (that
1590 +- * is, with only three taps, instead of the six that we are using).
1591 +- * As a result, the resulting polynomial is neither primitive nor
1592 +- * irreducible, and hence does not have a maximal period over
1593 +- * GF(2**32). They suggest a slight change to the generator
1594 +- * polynomial which improves the resulting TGFSR polynomial to be
1595 +- * irreducible, which we have made here.
1596 ++ * returns: 0 if callback is successfully added
1597 ++ * -EALREADY if pool is already initialised (callback not called)
1598 + */
1599 +-static struct poolinfo {
1600 +- int poolbitshift, poolwords, poolbytes, poolbits, poolfracbits;
1601 +-#define S(x) ilog2(x)+5, (x), (x)*4, (x)*32, (x) << (ENTROPY_SHIFT+5)
1602 +- int tap1, tap2, tap3, tap4, tap5;
1603 +-} poolinfo_table[] = {
1604 +- /* was: x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 */
1605 +- /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */
1606 +- { S(128), 104, 76, 51, 25, 1 },
1607 +- /* was: x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 */
1608 +- /* x^32 + x^26 + x^19 + x^14 + x^7 + x + 1 */
1609 +- { S(32), 26, 19, 14, 7, 1 },
1610 +-#if 0
1611 +- /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
1612 +- { S(2048), 1638, 1231, 819, 411, 1 },
1613 +-
1614 +- /* x^1024 + x^817 + x^615 + x^412 + x^204 + x + 1 -- 290 */
1615 +- { S(1024), 817, 615, 412, 204, 1 },
1616 +-
1617 +- /* x^1024 + x^819 + x^616 + x^410 + x^207 + x^2 + 1 -- 115 */
1618 +- { S(1024), 819, 616, 410, 207, 2 },
1619 +-
1620 +- /* x^512 + x^411 + x^308 + x^208 + x^104 + x + 1 -- 225 */
1621 +- { S(512), 411, 308, 208, 104, 1 },
1622 +-
1623 +- /* x^512 + x^409 + x^307 + x^206 + x^102 + x^2 + 1 -- 95 */
1624 +- { S(512), 409, 307, 206, 102, 2 },
1625 +- /* x^512 + x^409 + x^309 + x^205 + x^103 + x^2 + 1 -- 95 */
1626 +- { S(512), 409, 309, 205, 103, 2 },
1627 +-
1628 +- /* x^256 + x^205 + x^155 + x^101 + x^52 + x + 1 -- 125 */
1629 +- { S(256), 205, 155, 101, 52, 1 },
1630 +-
1631 +- /* x^128 + x^103 + x^78 + x^51 + x^27 + x^2 + 1 -- 70 */
1632 +- { S(128), 103, 78, 51, 27, 2 },
1633 +-
1634 +- /* x^64 + x^52 + x^39 + x^26 + x^14 + x + 1 -- 15 */
1635 +- { S(64), 52, 39, 26, 14, 1 },
1636 +-#endif
1637 +-};
1638 ++int __cold register_random_ready_notifier(struct notifier_block *nb)
1639 ++{
1640 ++ unsigned long flags;
1641 ++ int ret = -EALREADY;
1642 ++
1643 ++ if (crng_ready())
1644 ++ return ret;
1645 ++
1646 ++ spin_lock_irqsave(&random_ready_chain_lock, flags);
1647 ++ if (!crng_ready())
1648 ++ ret = raw_notifier_chain_register(&random_ready_chain, nb);
1649 ++ spin_unlock_irqrestore(&random_ready_chain_lock, flags);
1650 ++ return ret;
1651 ++}
1652 +
1653 + /*
1654 +- * Static global variables
1655 ++ * Delete a previously registered readiness callback function.
1656 + */
1657 +-static DECLARE_WAIT_QUEUE_HEAD(random_read_wait);
1658 +-static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
1659 +-static struct fasync_struct *fasync;
1660 +-
1661 +-static DEFINE_SPINLOCK(random_ready_list_lock);
1662 +-static LIST_HEAD(random_ready_list);
1663 ++int __cold unregister_random_ready_notifier(struct notifier_block *nb)
1664 ++{
1665 ++ unsigned long flags;
1666 ++ int ret;
1667 +
1668 +-struct crng_state {
1669 +- __u32 state[16];
1670 +- unsigned long init_time;
1671 +- spinlock_t lock;
1672 +-};
1673 ++ spin_lock_irqsave(&random_ready_chain_lock, flags);
1674 ++ ret = raw_notifier_chain_unregister(&random_ready_chain, nb);
1675 ++ spin_unlock_irqrestore(&random_ready_chain_lock, flags);
1676 ++ return ret;
1677 ++}
1678 +
1679 +-struct crng_state primary_crng = {
1680 +- .lock = __SPIN_LOCK_UNLOCKED(primary_crng.lock),
1681 +-};
1682 ++static void __cold process_random_ready_list(void)
1683 ++{
1684 ++ unsigned long flags;
1685 +
1686 +-/*
1687 +- * crng_init = 0 --> Uninitialized
1688 +- * 1 --> Initialized
1689 +- * 2 --> Initialized from input_pool
1690 +- *
1691 +- * crng_init is protected by primary_crng->lock, and only increases
1692 +- * its value (from 0->1->2).
1693 +- */
1694 +-static int crng_init = 0;
1695 +-#define crng_ready() (likely(crng_init > 1))
1696 +-static int crng_init_cnt = 0;
1697 +-static unsigned long crng_global_init_time = 0;
1698 +-#define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE)
1699 +-static void _extract_crng(struct crng_state *crng,
1700 +- __u8 out[CHACHA20_BLOCK_SIZE]);
1701 +-static void _crng_backtrack_protect(struct crng_state *crng,
1702 +- __u8 tmp[CHACHA20_BLOCK_SIZE], int used);
1703 +-static void process_random_ready_list(void);
1704 +-static void _get_random_bytes(void *buf, int nbytes);
1705 +-
1706 +-static struct ratelimit_state unseeded_warning =
1707 +- RATELIMIT_STATE_INIT("warn_unseeded_randomness", HZ, 3);
1708 +-static struct ratelimit_state urandom_warning =
1709 +- RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3);
1710 ++ spin_lock_irqsave(&random_ready_chain_lock, flags);
1711 ++ raw_notifier_call_chain(&random_ready_chain, 0, NULL);
1712 ++ spin_unlock_irqrestore(&random_ready_chain_lock, flags);
1713 ++}
1714 +
1715 +-static int ratelimit_disable __read_mostly;
1716 ++#define warn_unseeded_randomness() \
1717 ++ if (IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM) && !crng_ready()) \
1718 ++ pr_notice("%s called from %pS with crng_init=%d\n", \
1719 ++ __func__, (void *)_RET_IP_, crng_init)
1720 +
1721 +-module_param_named(ratelimit_disable, ratelimit_disable, int, 0644);
1722 +-MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression");
1723 +
1724 +-/**********************************************************************
1725 ++/*********************************************************************
1726 + *
1727 +- * OS independent entropy store. Here are the functions which handle
1728 +- * storing entropy in an entropy pool.
1729 ++ * Fast key erasure RNG, the "crng".
1730 + *
1731 +- **********************************************************************/
1732 ++ * These functions expand entropy from the entropy extractor into
1733 ++ * long streams for external consumption using the "fast key erasure"
1734 ++ * RNG described at <https://blog.cr.yp.to/20170723-random.html>.
1735 ++ *
1736 ++ * There are a few exported interfaces for use by other drivers:
1737 ++ *
1738 ++ * void get_random_bytes(void *buf, size_t len)
1739 ++ * u32 get_random_u32()
1740 ++ * u64 get_random_u64()
1741 ++ * unsigned int get_random_int()
1742 ++ * unsigned long get_random_long()
1743 ++ *
1744 ++ * These interfaces will return the requested number of random bytes
1745 ++ * into the given buffer or as a return value. This is equivalent to
1746 ++ * a read from /dev/urandom. The u32, u64, int, and long family of
1747 ++ * functions may be higher performance for one-off random integers,
1748 ++ * because they do a bit of buffering and do not invoke reseeding
1749 ++ * until the buffer is emptied.
1750 ++ *
1751 ++ *********************************************************************/
1752 +
1753 +-struct entropy_store;
1754 +-struct entropy_store {
1755 +- /* read-only data: */
1756 +- const struct poolinfo *poolinfo;
1757 +- __u32 *pool;
1758 +- const char *name;
1759 +- struct entropy_store *pull;
1760 +- struct work_struct push_work;
1761 +-
1762 +- /* read-write data: */
1763 +- unsigned long last_pulled;
1764 +- spinlock_t lock;
1765 +- unsigned short add_ptr;
1766 +- unsigned short input_rotate;
1767 +- int entropy_count;
1768 +- int entropy_total;
1769 +- unsigned int initialized:1;
1770 +- unsigned int last_data_init:1;
1771 +- __u8 last_data[EXTRACT_SIZE];
1772 ++enum {
1773 ++ CRNG_RESEED_START_INTERVAL = HZ,
1774 ++ CRNG_RESEED_INTERVAL = 60 * HZ
1775 + };
1776 +
1777 +-static ssize_t extract_entropy(struct entropy_store *r, void *buf,
1778 +- size_t nbytes, int min, int rsvd);
1779 +-static ssize_t _extract_entropy(struct entropy_store *r, void *buf,
1780 +- size_t nbytes, int fips);
1781 +-
1782 +-static void crng_reseed(struct crng_state *crng, struct entropy_store *r);
1783 +-static void push_to_pool(struct work_struct *work);
1784 +-static __u32 input_pool_data[INPUT_POOL_WORDS] __latent_entropy;
1785 +-static __u32 blocking_pool_data[OUTPUT_POOL_WORDS] __latent_entropy;
1786 +-
1787 +-static struct entropy_store input_pool = {
1788 +- .poolinfo = &poolinfo_table[0],
1789 +- .name = "input",
1790 +- .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
1791 +- .pool = input_pool_data
1792 ++static struct {
1793 ++ u8 key[CHACHA20_KEY_SIZE] __aligned(__alignof__(long));
1794 ++ unsigned long birth;
1795 ++ unsigned long generation;
1796 ++ spinlock_t lock;
1797 ++} base_crng = {
1798 ++ .lock = __SPIN_LOCK_UNLOCKED(base_crng.lock)
1799 + };
1800 +
1801 +-static struct entropy_store blocking_pool = {
1802 +- .poolinfo = &poolinfo_table[1],
1803 +- .name = "blocking",
1804 +- .pull = &input_pool,
1805 +- .lock = __SPIN_LOCK_UNLOCKED(blocking_pool.lock),
1806 +- .pool = blocking_pool_data,
1807 +- .push_work = __WORK_INITIALIZER(blocking_pool.push_work,
1808 +- push_to_pool),
1809 ++struct crng {
1810 ++ u8 key[CHACHA20_KEY_SIZE];
1811 ++ unsigned long generation;
1812 + };
1813 +
1814 +-static __u32 const twist_table[8] = {
1815 +- 0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
1816 +- 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };
1817 +-
1818 +-/*
1819 +- * This function adds bytes into the entropy "pool". It does not
1820 +- * update the entropy estimate. The caller should call
1821 +- * credit_entropy_bits if this is appropriate.
1822 +- *
1823 +- * The pool is stirred with a primitive polynomial of the appropriate
1824 +- * degree, and then twisted. We twist by three bits at a time because
1825 +- * it's cheap to do so and helps slightly in the expected case where
1826 +- * the entropy is concentrated in the low-order bits.
1827 +- */
1828 +-static void _mix_pool_bytes(struct entropy_store *r, const void *in,
1829 +- int nbytes)
1830 +-{
1831 +- unsigned long i, tap1, tap2, tap3, tap4, tap5;
1832 +- int input_rotate;
1833 +- int wordmask = r->poolinfo->poolwords - 1;
1834 +- const char *bytes = in;
1835 +- __u32 w;
1836 +-
1837 +- tap1 = r->poolinfo->tap1;
1838 +- tap2 = r->poolinfo->tap2;
1839 +- tap3 = r->poolinfo->tap3;
1840 +- tap4 = r->poolinfo->tap4;
1841 +- tap5 = r->poolinfo->tap5;
1842 +-
1843 +- input_rotate = r->input_rotate;
1844 +- i = r->add_ptr;
1845 +-
1846 +- /* mix one byte at a time to simplify size handling and churn faster */
1847 +- while (nbytes--) {
1848 +- w = rol32(*bytes++, input_rotate);
1849 +- i = (i - 1) & wordmask;
1850 +-
1851 +- /* XOR in the various taps */
1852 +- w ^= r->pool[i];
1853 +- w ^= r->pool[(i + tap1) & wordmask];
1854 +- w ^= r->pool[(i + tap2) & wordmask];
1855 +- w ^= r->pool[(i + tap3) & wordmask];
1856 +- w ^= r->pool[(i + tap4) & wordmask];
1857 +- w ^= r->pool[(i + tap5) & wordmask];
1858 +-
1859 +- /* Mix the result back in with a twist */
1860 +- r->pool[i] = (w >> 3) ^ twist_table[w & 7];
1861 +-
1862 +- /*
1863 +- * Normally, we add 7 bits of rotation to the pool.
1864 +- * At the beginning of the pool, add an extra 7 bits
1865 +- * rotation, so that successive passes spread the
1866 +- * input bits across the pool evenly.
1867 +- */
1868 +- input_rotate = (input_rotate + (i ? 7 : 14)) & 31;
1869 +- }
1870 +-
1871 +- r->input_rotate = input_rotate;
1872 +- r->add_ptr = i;
1873 +-}
1874 ++static DEFINE_PER_CPU(struct crng, crngs) = {
1875 ++ .generation = ULONG_MAX
1876 ++};
1877 +
1878 +-static void __mix_pool_bytes(struct entropy_store *r, const void *in,
1879 +- int nbytes)
1880 +-{
1881 +- trace_mix_pool_bytes_nolock(r->name, nbytes, _RET_IP_);
1882 +- _mix_pool_bytes(r, in, nbytes);
1883 +-}
1884 ++/* Used by crng_reseed() and crng_make_state() to extract a new seed from the input pool. */
1885 ++static void extract_entropy(void *buf, size_t len);
1886 +
1887 +-static void mix_pool_bytes(struct entropy_store *r, const void *in,
1888 +- int nbytes)
1889 ++/* This extracts a new crng key from the input pool. */
1890 ++static void crng_reseed(void)
1891 + {
1892 + unsigned long flags;
1893 ++ unsigned long next_gen;
1894 ++ u8 key[CHACHA20_KEY_SIZE];
1895 +
1896 +- trace_mix_pool_bytes(r->name, nbytes, _RET_IP_);
1897 +- spin_lock_irqsave(&r->lock, flags);
1898 +- _mix_pool_bytes(r, in, nbytes);
1899 +- spin_unlock_irqrestore(&r->lock, flags);
1900 +-}
1901 ++ extract_entropy(key, sizeof(key));
1902 +
1903 +-struct fast_pool {
1904 +- __u32 pool[4];
1905 +- unsigned long last;
1906 +- unsigned short reg_idx;
1907 +- unsigned char count;
1908 +-};
1909 ++ /*
1910 ++ * We copy the new key into the base_crng, overwriting the old one,
1911 ++ * and update the generation counter. We avoid hitting ULONG_MAX,
1912 ++ * because the per-cpu crngs are initialized to ULONG_MAX, so this
1913 ++ * forces new CPUs that come online to always initialize.
1914 ++ */
1915 ++ spin_lock_irqsave(&base_crng.lock, flags);
1916 ++ memcpy(base_crng.key, key, sizeof(base_crng.key));
1917 ++ next_gen = base_crng.generation + 1;
1918 ++ if (next_gen == ULONG_MAX)
1919 ++ ++next_gen;
1920 ++ WRITE_ONCE(base_crng.generation, next_gen);
1921 ++ WRITE_ONCE(base_crng.birth, jiffies);
1922 ++ if (!crng_ready())
1923 ++ crng_init = CRNG_READY;
1924 ++ spin_unlock_irqrestore(&base_crng.lock, flags);
1925 ++ memzero_explicit(key, sizeof(key));
1926 ++}
1927 +
1928 + /*
1929 +- * This is a fast mixing routine used by the interrupt randomness
1930 +- * collector. It's hardcoded for an 128 bit pool and assumes that any
1931 +- * locks that might be needed are taken by the caller.
1932 ++ * This generates a ChaCha block using the provided key, and then
1933 ++ * immediately overwites that key with half the block. It returns
1934 ++ * the resultant ChaCha state to the user, along with the second
1935 ++ * half of the block containing 32 bytes of random data that may
1936 ++ * be used; random_data_len may not be greater than 32.
1937 ++ *
1938 ++ * The returned ChaCha state contains within it a copy of the old
1939 ++ * key value, at index 4, so the state should always be zeroed out
1940 ++ * immediately after using in order to maintain forward secrecy.
1941 ++ * If the state cannot be erased in a timely manner, then it is
1942 ++ * safer to set the random_data parameter to &chacha_state[4] so
1943 ++ * that this function overwrites it before returning.
1944 + */
1945 +-static void fast_mix(struct fast_pool *f)
1946 ++static void crng_fast_key_erasure(u8 key[CHACHA20_KEY_SIZE],
1947 ++ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)],
1948 ++ u8 *random_data, size_t random_data_len)
1949 + {
1950 +- __u32 a = f->pool[0], b = f->pool[1];
1951 +- __u32 c = f->pool[2], d = f->pool[3];
1952 ++ u8 first_block[CHACHA20_BLOCK_SIZE];
1953 +
1954 +- a += b; c += d;
1955 +- b = rol32(b, 6); d = rol32(d, 27);
1956 +- d ^= a; b ^= c;
1957 ++ BUG_ON(random_data_len > 32);
1958 +
1959 +- a += b; c += d;
1960 +- b = rol32(b, 16); d = rol32(d, 14);
1961 +- d ^= a; b ^= c;
1962 ++ chacha_init_consts(chacha_state);
1963 ++ memcpy(&chacha_state[4], key, CHACHA20_KEY_SIZE);
1964 ++ memset(&chacha_state[12], 0, sizeof(u32) * 4);
1965 ++ chacha20_block(chacha_state, first_block);
1966 +
1967 +- a += b; c += d;
1968 +- b = rol32(b, 6); d = rol32(d, 27);
1969 +- d ^= a; b ^= c;
1970 +-
1971 +- a += b; c += d;
1972 +- b = rol32(b, 16); d = rol32(d, 14);
1973 +- d ^= a; b ^= c;
1974 +-
1975 +- f->pool[0] = a; f->pool[1] = b;
1976 +- f->pool[2] = c; f->pool[3] = d;
1977 +- f->count++;
1978 ++ memcpy(key, first_block, CHACHA20_KEY_SIZE);
1979 ++ memcpy(random_data, first_block + CHACHA20_KEY_SIZE, random_data_len);
1980 ++ memzero_explicit(first_block, sizeof(first_block));
1981 + }
1982 +
1983 +-static void process_random_ready_list(void)
1984 +-{
1985 +- unsigned long flags;
1986 +- struct random_ready_callback *rdy, *tmp;
1987 +-
1988 +- spin_lock_irqsave(&random_ready_list_lock, flags);
1989 +- list_for_each_entry_safe(rdy, tmp, &random_ready_list, list) {
1990 +- struct module *owner = rdy->owner;
1991 +-
1992 +- list_del_init(&rdy->list);
1993 +- rdy->func(rdy);
1994 +- module_put(owner);
1995 ++/*
1996 ++ * Return whether the crng seed is considered to be sufficiently old
1997 ++ * that a reseeding is needed. This happens if the last reseeding
1998 ++ * was CRNG_RESEED_INTERVAL ago, or during early boot, at an interval
1999 ++ * proportional to the uptime.
2000 ++ */
2001 ++static bool crng_has_old_seed(void)
2002 ++{
2003 ++ static bool early_boot = true;
2004 ++ unsigned long interval = CRNG_RESEED_INTERVAL;
2005 ++
2006 ++ if (unlikely(READ_ONCE(early_boot))) {
2007 ++ time64_t uptime = ktime_get_seconds();
2008 ++ if (uptime >= CRNG_RESEED_INTERVAL / HZ * 2)
2009 ++ WRITE_ONCE(early_boot, false);
2010 ++ else
2011 ++ interval = max_t(unsigned int, CRNG_RESEED_START_INTERVAL,
2012 ++ (unsigned int)uptime / 2 * HZ);
2013 + }
2014 +- spin_unlock_irqrestore(&random_ready_list_lock, flags);
2015 ++ return time_is_before_jiffies(READ_ONCE(base_crng.birth) + interval);
2016 + }
2017 +
2018 + /*
2019 +- * Credit (or debit) the entropy store with n bits of entropy.
2020 +- * Use credit_entropy_bits_safe() if the value comes from userspace
2021 +- * or otherwise should be checked for extreme values.
2022 ++ * This function returns a ChaCha state that you may use for generating
2023 ++ * random data. It also returns up to 32 bytes on its own of random data
2024 ++ * that may be used; random_data_len may not be greater than 32.
2025 + */
2026 +-static void credit_entropy_bits(struct entropy_store *r, int nbits)
2027 ++static void crng_make_state(u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)],
2028 ++ u8 *random_data, size_t random_data_len)
2029 + {
2030 +- int entropy_count, orig;
2031 +- const int pool_size = r->poolinfo->poolfracbits;
2032 +- int nfrac = nbits << ENTROPY_SHIFT;
2033 +-
2034 +- if (!nbits)
2035 +- return;
2036 ++ unsigned long flags;
2037 ++ struct crng *crng;
2038 +
2039 +-retry:
2040 +- entropy_count = orig = READ_ONCE(r->entropy_count);
2041 +- if (nfrac < 0) {
2042 +- /* Debit */
2043 +- entropy_count += nfrac;
2044 +- } else {
2045 +- /*
2046 +- * Credit: we have to account for the possibility of
2047 +- * overwriting already present entropy. Even in the
2048 +- * ideal case of pure Shannon entropy, new contributions
2049 +- * approach the full value asymptotically:
2050 +- *
2051 +- * entropy <- entropy + (pool_size - entropy) *
2052 +- * (1 - exp(-add_entropy/pool_size))
2053 +- *
2054 +- * For add_entropy <= pool_size/2 then
2055 +- * (1 - exp(-add_entropy/pool_size)) >=
2056 +- * (add_entropy/pool_size)*0.7869...
2057 +- * so we can approximate the exponential with
2058 +- * 3/4*add_entropy/pool_size and still be on the
2059 +- * safe side by adding at most pool_size/2 at a time.
2060 +- *
2061 +- * The use of pool_size-2 in the while statement is to
2062 +- * prevent rounding artifacts from making the loop
2063 +- * arbitrarily long; this limits the loop to log2(pool_size)*2
2064 +- * turns no matter how large nbits is.
2065 +- */
2066 +- int pnfrac = nfrac;
2067 +- const int s = r->poolinfo->poolbitshift + ENTROPY_SHIFT + 2;
2068 +- /* The +2 corresponds to the /4 in the denominator */
2069 +-
2070 +- do {
2071 +- unsigned int anfrac = min(pnfrac, pool_size/2);
2072 +- unsigned int add =
2073 +- ((pool_size - entropy_count)*anfrac*3) >> s;
2074 +-
2075 +- entropy_count += add;
2076 +- pnfrac -= anfrac;
2077 +- } while (unlikely(entropy_count < pool_size-2 && pnfrac));
2078 +- }
2079 ++ BUG_ON(random_data_len > 32);
2080 +
2081 +- if (unlikely(entropy_count < 0)) {
2082 +- pr_warn("random: negative entropy/overflow: pool %s count %d\n",
2083 +- r->name, entropy_count);
2084 +- WARN_ON(1);
2085 +- entropy_count = 0;
2086 +- } else if (entropy_count > pool_size)
2087 +- entropy_count = pool_size;
2088 +- if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
2089 +- goto retry;
2090 +-
2091 +- r->entropy_total += nbits;
2092 +- if (!r->initialized && r->entropy_total > 128) {
2093 +- r->initialized = 1;
2094 +- r->entropy_total = 0;
2095 ++ /*
2096 ++ * For the fast path, we check whether we're ready, unlocked first, and
2097 ++ * then re-check once locked later. In the case where we're really not
2098 ++ * ready, we do fast key erasure with the base_crng directly, extracting
2099 ++ * when crng_init is CRNG_EMPTY.
2100 ++ */
2101 ++ if (!crng_ready()) {
2102 ++ bool ready;
2103 ++
2104 ++ spin_lock_irqsave(&base_crng.lock, flags);
2105 ++ ready = crng_ready();
2106 ++ if (!ready) {
2107 ++ if (crng_init == CRNG_EMPTY)
2108 ++ extract_entropy(base_crng.key, sizeof(base_crng.key));
2109 ++ crng_fast_key_erasure(base_crng.key, chacha_state,
2110 ++ random_data, random_data_len);
2111 ++ }
2112 ++ spin_unlock_irqrestore(&base_crng.lock, flags);
2113 ++ if (!ready)
2114 ++ return;
2115 + }
2116 +
2117 +- trace_credit_entropy_bits(r->name, nbits,
2118 +- entropy_count >> ENTROPY_SHIFT,
2119 +- r->entropy_total, _RET_IP_);
2120 +-
2121 +- if (r == &input_pool) {
2122 +- int entropy_bits = entropy_count >> ENTROPY_SHIFT;
2123 ++ /*
2124 ++ * If the base_crng is old enough, we reseed, which in turn bumps the
2125 ++ * generation counter that we check below.
2126 ++ */
2127 ++ if (unlikely(crng_has_old_seed()))
2128 ++ crng_reseed();
2129 +
2130 +- if (crng_init < 2 && entropy_bits >= 128) {
2131 +- crng_reseed(&primary_crng, r);
2132 +- entropy_bits = r->entropy_count >> ENTROPY_SHIFT;
2133 +- }
2134 ++ local_irq_save(flags);
2135 ++ crng = raw_cpu_ptr(&crngs);
2136 +
2137 +- /* should we wake readers? */
2138 +- if (entropy_bits >= random_read_wakeup_bits &&
2139 +- wq_has_sleeper(&random_read_wait)) {
2140 +- wake_up_interruptible(&random_read_wait);
2141 +- kill_fasync(&fasync, SIGIO, POLL_IN);
2142 +- }
2143 +- /* If the input pool is getting full, send some
2144 +- * entropy to the blocking pool until it is 75% full.
2145 +- */
2146 +- if (entropy_bits > random_write_wakeup_bits &&
2147 +- r->initialized &&
2148 +- r->entropy_total >= 2*random_read_wakeup_bits) {
2149 +- struct entropy_store *other = &blocking_pool;
2150 +-
2151 +- if (other->entropy_count <=
2152 +- 3 * other->poolinfo->poolfracbits / 4) {
2153 +- schedule_work(&other->push_work);
2154 +- r->entropy_total = 0;
2155 +- }
2156 +- }
2157 ++ /*
2158 ++ * If our per-cpu crng is older than the base_crng, then it means
2159 ++ * somebody reseeded the base_crng. In that case, we do fast key
2160 ++ * erasure on the base_crng, and use its output as the new key
2161 ++ * for our per-cpu crng. This brings us up to date with base_crng.
2162 ++ */
2163 ++ if (unlikely(crng->generation != READ_ONCE(base_crng.generation))) {
2164 ++ spin_lock(&base_crng.lock);
2165 ++ crng_fast_key_erasure(base_crng.key, chacha_state,
2166 ++ crng->key, sizeof(crng->key));
2167 ++ crng->generation = base_crng.generation;
2168 ++ spin_unlock(&base_crng.lock);
2169 + }
2170 ++
2171 ++ /*
2172 ++ * Finally, when we've made it this far, our per-cpu crng has an up
2173 ++ * to date key, and we can do fast key erasure with it to produce
2174 ++ * some random data and a ChaCha state for the caller. All other
2175 ++ * branches of this function are "unlikely", so most of the time we
2176 ++ * should wind up here immediately.
2177 ++ */
2178 ++ crng_fast_key_erasure(crng->key, chacha_state, random_data, random_data_len);
2179 ++ local_irq_restore(flags);
2180 + }
2181 +
2182 +-static int credit_entropy_bits_safe(struct entropy_store *r, int nbits)
2183 ++static void _get_random_bytes(void *buf, size_t len)
2184 + {
2185 +- const int nbits_max = r->poolinfo->poolwords * 32;
2186 +-
2187 +- if (nbits < 0)
2188 +- return -EINVAL;
2189 ++ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)];
2190 ++ u8 tmp[CHACHA20_BLOCK_SIZE];
2191 ++ size_t first_block_len;
2192 +
2193 +- /* Cap the value to avoid overflows */
2194 +- nbits = min(nbits, nbits_max);
2195 ++ if (!len)
2196 ++ return;
2197 +
2198 +- credit_entropy_bits(r, nbits);
2199 +- return 0;
2200 +-}
2201 ++ first_block_len = min_t(size_t, 32, len);
2202 ++ crng_make_state(chacha_state, buf, first_block_len);
2203 ++ len -= first_block_len;
2204 ++ buf += first_block_len;
2205 +
2206 +-/*********************************************************************
2207 +- *
2208 +- * CRNG using CHACHA20
2209 +- *
2210 +- *********************************************************************/
2211 ++ while (len) {
2212 ++ if (len < CHACHA20_BLOCK_SIZE) {
2213 ++ chacha20_block(chacha_state, tmp);
2214 ++ memcpy(buf, tmp, len);
2215 ++ memzero_explicit(tmp, sizeof(tmp));
2216 ++ break;
2217 ++ }
2218 +
2219 +-#define CRNG_RESEED_INTERVAL (300*HZ)
2220 ++ chacha20_block(chacha_state, buf);
2221 ++ if (unlikely(chacha_state[12] == 0))
2222 ++ ++chacha_state[13];
2223 ++ len -= CHACHA20_BLOCK_SIZE;
2224 ++ buf += CHACHA20_BLOCK_SIZE;
2225 ++ }
2226 +
2227 +-static DECLARE_WAIT_QUEUE_HEAD(crng_init_wait);
2228 ++ memzero_explicit(chacha_state, sizeof(chacha_state));
2229 ++}
2230 +
2231 +-#ifdef CONFIG_NUMA
2232 + /*
2233 +- * Hack to deal with crazy userspace progams when they are all trying
2234 +- * to access /dev/urandom in parallel. The programs are almost
2235 +- * certainly doing something terribly wrong, but we'll work around
2236 +- * their brain damage.
2237 ++ * This function is the exported kernel interface. It returns some
2238 ++ * number of good random numbers, suitable for key generation, seeding
2239 ++ * TCP sequence numbers, etc. It does not rely on the hardware random
2240 ++ * number generator. For random bytes direct from the hardware RNG
2241 ++ * (when available), use get_random_bytes_arch(). In order to ensure
2242 ++ * that the randomness provided by this function is okay, the function
2243 ++ * wait_for_random_bytes() should be called and return 0 at least once
2244 ++ * at any point prior.
2245 + */
2246 +-static struct crng_state **crng_node_pool __read_mostly;
2247 +-#endif
2248 +-
2249 +-static void invalidate_batched_entropy(void);
2250 +-static void numa_crng_init(void);
2251 +-
2252 +-static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
2253 +-static int __init parse_trust_cpu(char *arg)
2254 ++void get_random_bytes(void *buf, size_t len)
2255 + {
2256 +- return kstrtobool(arg, &trust_cpu);
2257 ++ warn_unseeded_randomness();
2258 ++ _get_random_bytes(buf, len);
2259 + }
2260 +-early_param("random.trust_cpu", parse_trust_cpu);
2261 ++EXPORT_SYMBOL(get_random_bytes);
2262 +
2263 +-static void crng_initialize(struct crng_state *crng)
2264 ++static ssize_t get_random_bytes_user(struct iov_iter *iter)
2265 + {
2266 +- int i;
2267 +- int arch_init = 1;
2268 +- unsigned long rv;
2269 +-
2270 +- memcpy(&crng->state[0], "expand 32-byte k", 16);
2271 +- if (crng == &primary_crng)
2272 +- _extract_entropy(&input_pool, &crng->state[4],
2273 +- sizeof(__u32) * 12, 0);
2274 +- else
2275 +- _get_random_bytes(&crng->state[4], sizeof(__u32) * 12);
2276 +- for (i = 4; i < 16; i++) {
2277 +- if (!arch_get_random_seed_long(&rv) &&
2278 +- !arch_get_random_long(&rv)) {
2279 +- rv = random_get_entropy();
2280 +- arch_init = 0;
2281 +- }
2282 +- crng->state[i] ^= rv;
2283 +- }
2284 +- if (trust_cpu && arch_init && crng == &primary_crng) {
2285 +- invalidate_batched_entropy();
2286 +- numa_crng_init();
2287 +- crng_init = 2;
2288 +- pr_notice("random: crng done (trusting CPU's manufacturer)\n");
2289 +- }
2290 +- crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
2291 +-}
2292 ++ u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)];
2293 ++ u8 block[CHACHA20_BLOCK_SIZE];
2294 ++ size_t ret = 0, copied;
2295 +
2296 +-#ifdef CONFIG_NUMA
2297 +-static void do_numa_crng_init(struct work_struct *work)
2298 +-{
2299 +- int i;
2300 +- struct crng_state *crng;
2301 +- struct crng_state **pool;
2302 +-
2303 +- pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL);
2304 +- for_each_online_node(i) {
2305 +- crng = kmalloc_node(sizeof(struct crng_state),
2306 +- GFP_KERNEL | __GFP_NOFAIL, i);
2307 +- spin_lock_init(&crng->lock);
2308 +- crng_initialize(crng);
2309 +- pool[i] = crng;
2310 +- }
2311 +- /* pairs with READ_ONCE() in select_crng() */
2312 +- if (cmpxchg_release(&crng_node_pool, NULL, pool) != NULL) {
2313 +- for_each_node(i)
2314 +- kfree(pool[i]);
2315 +- kfree(pool);
2316 +- }
2317 +-}
2318 ++ if (unlikely(!iov_iter_count(iter)))
2319 ++ return 0;
2320 +
2321 +-static DECLARE_WORK(numa_crng_init_work, do_numa_crng_init);
2322 ++ /*
2323 ++ * Immediately overwrite the ChaCha key at index 4 with random
2324 ++ * bytes, in case userspace causes copy_to_user() below to sleep
2325 ++ * forever, so that we still retain forward secrecy in that case.
2326 ++ */
2327 ++ crng_make_state(chacha_state, (u8 *)&chacha_state[4], CHACHA20_KEY_SIZE);
2328 ++ /*
2329 ++ * However, if we're doing a read of len <= 32, we don't need to
2330 ++ * use chacha_state after, so we can simply return those bytes to
2331 ++ * the user directly.
2332 ++ */
2333 ++ if (iov_iter_count(iter) <= CHACHA20_KEY_SIZE) {
2334 ++ ret = copy_to_iter(&chacha_state[4], CHACHA20_KEY_SIZE, iter);
2335 ++ goto out_zero_chacha;
2336 ++ }
2337 +
2338 +-static void numa_crng_init(void)
2339 +-{
2340 +- schedule_work(&numa_crng_init_work);
2341 +-}
2342 ++ for (;;) {
2343 ++ chacha20_block(chacha_state, block);
2344 ++ if (unlikely(chacha_state[12] == 0))
2345 ++ ++chacha_state[13];
2346 +
2347 +-static struct crng_state *select_crng(void)
2348 +-{
2349 +- struct crng_state **pool;
2350 +- int nid = numa_node_id();
2351 ++ copied = copy_to_iter(block, sizeof(block), iter);
2352 ++ ret += copied;
2353 ++ if (!iov_iter_count(iter) || copied != sizeof(block))
2354 ++ break;
2355 +
2356 +- /* pairs with cmpxchg_release() in do_numa_crng_init() */
2357 +- pool = READ_ONCE(crng_node_pool);
2358 +- if (pool && pool[nid])
2359 +- return pool[nid];
2360 ++ BUILD_BUG_ON(PAGE_SIZE % sizeof(block) != 0);
2361 ++ if (ret % PAGE_SIZE == 0) {
2362 ++ if (signal_pending(current))
2363 ++ break;
2364 ++ cond_resched();
2365 ++ }
2366 ++ }
2367 +
2368 +- return &primary_crng;
2369 ++ memzero_explicit(block, sizeof(block));
2370 ++out_zero_chacha:
2371 ++ memzero_explicit(chacha_state, sizeof(chacha_state));
2372 ++ return ret ? ret : -EFAULT;
2373 + }
2374 +-#else
2375 +-static void numa_crng_init(void) {}
2376 +
2377 +-static struct crng_state *select_crng(void)
2378 ++/*
2379 ++ * Batched entropy returns random integers. The quality of the random
2380 ++ * number is good as /dev/urandom. In order to ensure that the randomness
2381 ++ * provided by this function is okay, the function wait_for_random_bytes()
2382 ++ * should be called and return 0 at least once at any point prior.
2383 ++ */
2384 ++
2385 ++#define DEFINE_BATCHED_ENTROPY(type) \
2386 ++struct batch_ ##type { \
2387 ++ /* \
2388 ++ * We make this 1.5x a ChaCha block, so that we get the \
2389 ++ * remaining 32 bytes from fast key erasure, plus one full \
2390 ++ * block from the detached ChaCha state. We can increase \
2391 ++ * the size of this later if needed so long as we keep the \
2392 ++ * formula of (integer_blocks + 0.5) * CHACHA20_BLOCK_SIZE. \
2393 ++ */ \
2394 ++ type entropy[CHACHA20_BLOCK_SIZE * 3 / (2 * sizeof(type))]; \
2395 ++ unsigned long generation; \
2396 ++ unsigned int position; \
2397 ++}; \
2398 ++ \
2399 ++static DEFINE_PER_CPU(struct batch_ ##type, batched_entropy_ ##type) = { \
2400 ++ .position = UINT_MAX \
2401 ++}; \
2402 ++ \
2403 ++type get_random_ ##type(void) \
2404 ++{ \
2405 ++ type ret; \
2406 ++ unsigned long flags; \
2407 ++ struct batch_ ##type *batch; \
2408 ++ unsigned long next_gen; \
2409 ++ \
2410 ++ warn_unseeded_randomness(); \
2411 ++ \
2412 ++ if (!crng_ready()) { \
2413 ++ _get_random_bytes(&ret, sizeof(ret)); \
2414 ++ return ret; \
2415 ++ } \
2416 ++ \
2417 ++ local_irq_save(flags); \
2418 ++ batch = raw_cpu_ptr(&batched_entropy_##type); \
2419 ++ \
2420 ++ next_gen = READ_ONCE(base_crng.generation); \
2421 ++ if (batch->position >= ARRAY_SIZE(batch->entropy) || \
2422 ++ next_gen != batch->generation) { \
2423 ++ _get_random_bytes(batch->entropy, sizeof(batch->entropy)); \
2424 ++ batch->position = 0; \
2425 ++ batch->generation = next_gen; \
2426 ++ } \
2427 ++ \
2428 ++ ret = batch->entropy[batch->position]; \
2429 ++ batch->entropy[batch->position] = 0; \
2430 ++ ++batch->position; \
2431 ++ local_irq_restore(flags); \
2432 ++ return ret; \
2433 ++} \
2434 ++EXPORT_SYMBOL(get_random_ ##type);
2435 ++
2436 ++DEFINE_BATCHED_ENTROPY(u64)
2437 ++DEFINE_BATCHED_ENTROPY(u32)
2438 ++
2439 ++#ifdef CONFIG_SMP
2440 ++/*
2441 ++ * This function is called when the CPU is coming up, with entry
2442 ++ * CPUHP_RANDOM_PREPARE, which comes before CPUHP_WORKQUEUE_PREP.
2443 ++ */
2444 ++int __cold random_prepare_cpu(unsigned int cpu)
2445 + {
2446 +- return &primary_crng;
2447 ++ /*
2448 ++ * When the cpu comes back online, immediately invalidate both
2449 ++ * the per-cpu crng and all batches, so that we serve fresh
2450 ++ * randomness.
2451 ++ */
2452 ++ per_cpu_ptr(&crngs, cpu)->generation = ULONG_MAX;
2453 ++ per_cpu_ptr(&batched_entropy_u32, cpu)->position = UINT_MAX;
2454 ++ per_cpu_ptr(&batched_entropy_u64, cpu)->position = UINT_MAX;
2455 ++ return 0;
2456 + }
2457 + #endif
2458 +
2459 + /*
2460 +- * crng_fast_load() can be called by code in the interrupt service
2461 +- * path. So we can't afford to dilly-dally.
2462 ++ * This function will use the architecture-specific hardware random
2463 ++ * number generator if it is available. It is not recommended for
2464 ++ * use. Use get_random_bytes() instead. It returns the number of
2465 ++ * bytes filled in.
2466 + */
2467 +-static int crng_fast_load(const char *cp, size_t len)
2468 ++size_t __must_check get_random_bytes_arch(void *buf, size_t len)
2469 + {
2470 +- unsigned long flags;
2471 +- char *p;
2472 ++ size_t left = len;
2473 ++ u8 *p = buf;
2474 +
2475 +- if (!spin_trylock_irqsave(&primary_crng.lock, flags))
2476 +- return 0;
2477 +- if (crng_init != 0) {
2478 +- spin_unlock_irqrestore(&primary_crng.lock, flags);
2479 +- return 0;
2480 +- }
2481 +- p = (unsigned char *) &primary_crng.state[4];
2482 +- while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) {
2483 +- p[crng_init_cnt % CHACHA20_KEY_SIZE] ^= *cp;
2484 +- cp++; crng_init_cnt++; len--;
2485 +- }
2486 +- spin_unlock_irqrestore(&primary_crng.lock, flags);
2487 +- if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
2488 +- invalidate_batched_entropy();
2489 +- crng_init = 1;
2490 +- wake_up_interruptible(&crng_init_wait);
2491 +- pr_notice("random: fast init done\n");
2492 +- }
2493 +- return 1;
2494 +-}
2495 +-
2496 +-/*
2497 +- * crng_slow_load() is called by add_device_randomness, which has two
2498 +- * attributes. (1) We can't trust the buffer passed to it is
2499 +- * guaranteed to be unpredictable (so it might not have any entropy at
2500 +- * all), and (2) it doesn't have the performance constraints of
2501 +- * crng_fast_load().
2502 +- *
2503 +- * So we do something more comprehensive which is guaranteed to touch
2504 +- * all of the primary_crng's state, and which uses a LFSR with a
2505 +- * period of 255 as part of the mixing algorithm. Finally, we do
2506 +- * *not* advance crng_init_cnt since buffer we may get may be something
2507 +- * like a fixed DMI table (for example), which might very well be
2508 +- * unique to the machine, but is otherwise unvarying.
2509 +- */
2510 +-static int crng_slow_load(const char *cp, size_t len)
2511 +-{
2512 +- unsigned long flags;
2513 +- static unsigned char lfsr = 1;
2514 +- unsigned char tmp;
2515 +- unsigned i, max = CHACHA20_KEY_SIZE;
2516 +- const char * src_buf = cp;
2517 +- char * dest_buf = (char *) &primary_crng.state[4];
2518 +-
2519 +- if (!spin_trylock_irqsave(&primary_crng.lock, flags))
2520 +- return 0;
2521 +- if (crng_init != 0) {
2522 +- spin_unlock_irqrestore(&primary_crng.lock, flags);
2523 +- return 0;
2524 +- }
2525 +- if (len > max)
2526 +- max = len;
2527 +-
2528 +- for (i = 0; i < max ; i++) {
2529 +- tmp = lfsr;
2530 +- lfsr >>= 1;
2531 +- if (tmp & 1)
2532 +- lfsr ^= 0xE1;
2533 +- tmp = dest_buf[i % CHACHA20_KEY_SIZE];
2534 +- dest_buf[i % CHACHA20_KEY_SIZE] ^= src_buf[i % len] ^ lfsr;
2535 +- lfsr += (tmp << 3) | (tmp >> 5);
2536 +- }
2537 +- spin_unlock_irqrestore(&primary_crng.lock, flags);
2538 +- return 1;
2539 +-}
2540 +-
2541 +-static void crng_reseed(struct crng_state *crng, struct entropy_store *r)
2542 +-{
2543 +- unsigned long flags;
2544 +- int i, num;
2545 +- union {
2546 +- __u8 block[CHACHA20_BLOCK_SIZE];
2547 +- __u32 key[8];
2548 +- } buf;
2549 +-
2550 +- if (r) {
2551 +- num = extract_entropy(r, &buf, 32, 16, 0);
2552 +- if (num == 0)
2553 +- return;
2554 +- } else {
2555 +- _extract_crng(&primary_crng, buf.block);
2556 +- _crng_backtrack_protect(&primary_crng, buf.block,
2557 +- CHACHA20_KEY_SIZE);
2558 +- }
2559 +- spin_lock_irqsave(&crng->lock, flags);
2560 +- for (i = 0; i < 8; i++) {
2561 +- unsigned long rv;
2562 +- if (!arch_get_random_seed_long(&rv) &&
2563 +- !arch_get_random_long(&rv))
2564 +- rv = random_get_entropy();
2565 +- crng->state[i+4] ^= buf.key[i] ^ rv;
2566 +- }
2567 +- memzero_explicit(&buf, sizeof(buf));
2568 +- WRITE_ONCE(crng->init_time, jiffies);
2569 +- spin_unlock_irqrestore(&crng->lock, flags);
2570 +- if (crng == &primary_crng && crng_init < 2) {
2571 +- invalidate_batched_entropy();
2572 +- numa_crng_init();
2573 +- crng_init = 2;
2574 +- process_random_ready_list();
2575 +- wake_up_interruptible(&crng_init_wait);
2576 +- pr_notice("random: crng init done\n");
2577 +- if (unseeded_warning.missed) {
2578 +- pr_notice("random: %d get_random_xx warning(s) missed "
2579 +- "due to ratelimiting\n",
2580 +- unseeded_warning.missed);
2581 +- unseeded_warning.missed = 0;
2582 +- }
2583 +- if (urandom_warning.missed) {
2584 +- pr_notice("random: %d urandom warning(s) missed "
2585 +- "due to ratelimiting\n",
2586 +- urandom_warning.missed);
2587 +- urandom_warning.missed = 0;
2588 +- }
2589 +- }
2590 +-}
2591 +-
2592 +-static void _extract_crng(struct crng_state *crng,
2593 +- __u8 out[CHACHA20_BLOCK_SIZE])
2594 +-{
2595 +- unsigned long v, flags, init_time;
2596 +-
2597 +- if (crng_ready()) {
2598 +- init_time = READ_ONCE(crng->init_time);
2599 +- if (time_after(READ_ONCE(crng_global_init_time), init_time) ||
2600 +- time_after(jiffies, init_time + CRNG_RESEED_INTERVAL))
2601 +- crng_reseed(crng, crng == &primary_crng ?
2602 +- &input_pool : NULL);
2603 +- }
2604 +- spin_lock_irqsave(&crng->lock, flags);
2605 +- if (arch_get_random_long(&v))
2606 +- crng->state[14] ^= v;
2607 +- chacha20_block(&crng->state[0], out);
2608 +- if (crng->state[12] == 0)
2609 +- crng->state[13]++;
2610 +- spin_unlock_irqrestore(&crng->lock, flags);
2611 +-}
2612 +-
2613 +-static void extract_crng(__u8 out[CHACHA20_BLOCK_SIZE])
2614 +-{
2615 +- _extract_crng(select_crng(), out);
2616 +-}
2617 +-
2618 +-/*
2619 +- * Use the leftover bytes from the CRNG block output (if there is
2620 +- * enough) to mutate the CRNG key to provide backtracking protection.
2621 +- */
2622 +-static void _crng_backtrack_protect(struct crng_state *crng,
2623 +- __u8 tmp[CHACHA20_BLOCK_SIZE], int used)
2624 +-{
2625 +- unsigned long flags;
2626 +- __u32 *s, *d;
2627 +- int i;
2628 +-
2629 +- used = round_up(used, sizeof(__u32));
2630 +- if (used + CHACHA20_KEY_SIZE > CHACHA20_BLOCK_SIZE) {
2631 +- extract_crng(tmp);
2632 +- used = 0;
2633 +- }
2634 +- spin_lock_irqsave(&crng->lock, flags);
2635 +- s = (__u32 *) &tmp[used];
2636 +- d = &crng->state[4];
2637 +- for (i=0; i < 8; i++)
2638 +- *d++ ^= *s++;
2639 +- spin_unlock_irqrestore(&crng->lock, flags);
2640 +-}
2641 +-
2642 +-static void crng_backtrack_protect(__u8 tmp[CHACHA20_BLOCK_SIZE], int used)
2643 +-{
2644 +- _crng_backtrack_protect(select_crng(), tmp, used);
2645 +-}
2646 +-
2647 +-static ssize_t extract_crng_user(void __user *buf, size_t nbytes)
2648 +-{
2649 +- ssize_t ret = 0, i = CHACHA20_BLOCK_SIZE;
2650 +- __u8 tmp[CHACHA20_BLOCK_SIZE] __aligned(4);
2651 +- int large_request = (nbytes > 256);
2652 +-
2653 +- while (nbytes) {
2654 +- if (large_request && need_resched()) {
2655 +- if (signal_pending(current)) {
2656 +- if (ret == 0)
2657 +- ret = -ERESTARTSYS;
2658 +- break;
2659 +- }
2660 +- schedule();
2661 +- }
2662 ++ while (left) {
2663 ++ unsigned long v;
2664 ++ size_t block_len = min_t(size_t, left, sizeof(unsigned long));
2665 +
2666 +- extract_crng(tmp);
2667 +- i = min_t(int, nbytes, CHACHA20_BLOCK_SIZE);
2668 +- if (copy_to_user(buf, tmp, i)) {
2669 +- ret = -EFAULT;
2670 ++ if (!arch_get_random_long(&v))
2671 + break;
2672 +- }
2673 +
2674 +- nbytes -= i;
2675 +- buf += i;
2676 +- ret += i;
2677 ++ memcpy(p, &v, block_len);
2678 ++ p += block_len;
2679 ++ left -= block_len;
2680 + }
2681 +- crng_backtrack_protect(tmp, i);
2682 +-
2683 +- /* Wipe data just written to memory */
2684 +- memzero_explicit(tmp, sizeof(tmp));
2685 +
2686 +- return ret;
2687 ++ return len - left;
2688 + }
2689 ++EXPORT_SYMBOL(get_random_bytes_arch);
2690 +
2691 +
2692 +-/*********************************************************************
2693 ++/**********************************************************************
2694 + *
2695 +- * Entropy input management
2696 ++ * Entropy accumulation and extraction routines.
2697 + *
2698 +- *********************************************************************/
2699 ++ * Callers may add entropy via:
2700 ++ *
2701 ++ * static void mix_pool_bytes(const void *buf, size_t len)
2702 ++ *
2703 ++ * After which, if added entropy should be credited:
2704 ++ *
2705 ++ * static void credit_init_bits(size_t bits)
2706 ++ *
2707 ++ * Finally, extract entropy via:
2708 ++ *
2709 ++ * static void extract_entropy(void *buf, size_t len)
2710 ++ *
2711 ++ **********************************************************************/
2712 +
2713 +-/* There is one of these per entropy source */
2714 +-struct timer_rand_state {
2715 +- cycles_t last_time;
2716 +- long last_delta, last_delta2;
2717 ++enum {
2718 ++ POOL_BITS = BLAKE2S_HASH_SIZE * 8,
2719 ++ POOL_READY_BITS = POOL_BITS, /* When crng_init->CRNG_READY */
2720 ++ POOL_EARLY_BITS = POOL_READY_BITS / 2 /* When crng_init->CRNG_EARLY */
2721 ++};
2722 ++
2723 ++static struct {
2724 ++ struct blake2s_state hash;
2725 ++ spinlock_t lock;
2726 ++ unsigned int init_bits;
2727 ++} input_pool = {
2728 ++ .hash.h = { BLAKE2S_IV0 ^ (0x01010000 | BLAKE2S_HASH_SIZE),
2729 ++ BLAKE2S_IV1, BLAKE2S_IV2, BLAKE2S_IV3, BLAKE2S_IV4,
2730 ++ BLAKE2S_IV5, BLAKE2S_IV6, BLAKE2S_IV7 },
2731 ++ .hash.outlen = BLAKE2S_HASH_SIZE,
2732 ++ .lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
2733 + };
2734 +
2735 +-#define INIT_TIMER_RAND_STATE { INITIAL_JIFFIES, };
2736 ++static void _mix_pool_bytes(const void *buf, size_t len)
2737 ++{
2738 ++ blake2s_update(&input_pool.hash, buf, len);
2739 ++}
2740 +
2741 + /*
2742 +- * Add device- or boot-specific data to the input pool to help
2743 +- * initialize it.
2744 +- *
2745 +- * None of this adds any entropy; it is meant to avoid the problem of
2746 +- * the entropy pool having similar initial state across largely
2747 +- * identical devices.
2748 ++ * This function adds bytes into the input pool. It does not
2749 ++ * update the initialization bit counter; the caller should call
2750 ++ * credit_init_bits if this is appropriate.
2751 + */
2752 +-void add_device_randomness(const void *buf, unsigned int size)
2753 ++static void mix_pool_bytes(const void *buf, size_t len)
2754 + {
2755 +- unsigned long time = random_get_entropy() ^ jiffies;
2756 + unsigned long flags;
2757 +
2758 +- if (!crng_ready() && size)
2759 +- crng_slow_load(buf, size);
2760 +-
2761 +- trace_add_device_randomness(size, _RET_IP_);
2762 + spin_lock_irqsave(&input_pool.lock, flags);
2763 +- _mix_pool_bytes(&input_pool, buf, size);
2764 +- _mix_pool_bytes(&input_pool, &time, sizeof(time));
2765 ++ _mix_pool_bytes(buf, len);
2766 + spin_unlock_irqrestore(&input_pool.lock, flags);
2767 + }
2768 +-EXPORT_SYMBOL(add_device_randomness);
2769 +-
2770 +-static struct timer_rand_state input_timer_state = INIT_TIMER_RAND_STATE;
2771 +
2772 + /*
2773 +- * This function adds entropy to the entropy "pool" by using timing
2774 +- * delays. It uses the timer_rand_state structure to make an estimate
2775 +- * of how many bits of entropy this call has added to the pool.
2776 +- *
2777 +- * The number "num" is also added to the pool - it should somehow describe
2778 +- * the type of event which just happened. This is currently 0-255 for
2779 +- * keyboard scan codes, and 256 upwards for interrupts.
2780 +- *
2781 ++ * This is an HKDF-like construction for using the hashed collected entropy
2782 ++ * as a PRF key, that's then expanded block-by-block.
2783 + */
2784 +-static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
2785 ++static void extract_entropy(void *buf, size_t len)
2786 + {
2787 +- struct entropy_store *r;
2788 ++ unsigned long flags;
2789 ++ u8 seed[BLAKE2S_HASH_SIZE], next_key[BLAKE2S_HASH_SIZE];
2790 + struct {
2791 +- long jiffies;
2792 +- unsigned cycles;
2793 +- unsigned num;
2794 +- } sample;
2795 +- long delta, delta2, delta3;
2796 +-
2797 +- sample.jiffies = jiffies;
2798 +- sample.cycles = random_get_entropy();
2799 +- sample.num = num;
2800 +- r = &input_pool;
2801 +- mix_pool_bytes(r, &sample, sizeof(sample));
2802 +-
2803 +- /*
2804 +- * Calculate number of bits of randomness we probably added.
2805 +- * We take into account the first, second and third-order deltas
2806 +- * in order to make our estimate.
2807 +- */
2808 +- delta = sample.jiffies - READ_ONCE(state->last_time);
2809 +- WRITE_ONCE(state->last_time, sample.jiffies);
2810 +-
2811 +- delta2 = delta - READ_ONCE(state->last_delta);
2812 +- WRITE_ONCE(state->last_delta, delta);
2813 +-
2814 +- delta3 = delta2 - READ_ONCE(state->last_delta2);
2815 +- WRITE_ONCE(state->last_delta2, delta2);
2816 +-
2817 +- if (delta < 0)
2818 +- delta = -delta;
2819 +- if (delta2 < 0)
2820 +- delta2 = -delta2;
2821 +- if (delta3 < 0)
2822 +- delta3 = -delta3;
2823 +- if (delta > delta2)
2824 +- delta = delta2;
2825 +- if (delta > delta3)
2826 +- delta = delta3;
2827 +-
2828 +- /*
2829 +- * delta is now minimum absolute delta.
2830 +- * Round down by 1 bit on general principles,
2831 +- * and limit entropy entimate to 12 bits.
2832 +- */
2833 +- credit_entropy_bits(r, min_t(int, fls(delta>>1), 11));
2834 +-}
2835 +-
2836 +-void add_input_randomness(unsigned int type, unsigned int code,
2837 +- unsigned int value)
2838 +-{
2839 +- static unsigned char last_value;
2840 +-
2841 +- /* ignore autorepeat and the like */
2842 +- if (value == last_value)
2843 +- return;
2844 ++ unsigned long rdseed[32 / sizeof(long)];
2845 ++ size_t counter;
2846 ++ } block;
2847 ++ size_t i;
2848 ++
2849 ++ for (i = 0; i < ARRAY_SIZE(block.rdseed); ++i) {
2850 ++ if (!arch_get_random_seed_long(&block.rdseed[i]) &&
2851 ++ !arch_get_random_long(&block.rdseed[i]))
2852 ++ block.rdseed[i] = random_get_entropy();
2853 ++ }
2854 +
2855 +- last_value = value;
2856 +- add_timer_randomness(&input_timer_state,
2857 +- (type << 4) ^ code ^ (code >> 4) ^ value);
2858 +- trace_add_input_randomness(ENTROPY_BITS(&input_pool));
2859 +-}
2860 +-EXPORT_SYMBOL_GPL(add_input_randomness);
2861 ++ spin_lock_irqsave(&input_pool.lock, flags);
2862 +
2863 +-static DEFINE_PER_CPU(struct fast_pool, irq_randomness);
2864 ++ /* seed = HASHPRF(last_key, entropy_input) */
2865 ++ blake2s_final(&input_pool.hash, seed);
2866 +
2867 +-#ifdef ADD_INTERRUPT_BENCH
2868 +-static unsigned long avg_cycles, avg_deviation;
2869 ++ /* next_key = HASHPRF(seed, RDSEED || 0) */
2870 ++ block.counter = 0;
2871 ++ blake2s(next_key, (u8 *)&block, seed, sizeof(next_key), sizeof(block), sizeof(seed));
2872 ++ blake2s_init_key(&input_pool.hash, BLAKE2S_HASH_SIZE, next_key, sizeof(next_key));
2873 +
2874 +-#define AVG_SHIFT 8 /* Exponential average factor k=1/256 */
2875 +-#define FIXED_1_2 (1 << (AVG_SHIFT-1))
2876 ++ spin_unlock_irqrestore(&input_pool.lock, flags);
2877 ++ memzero_explicit(next_key, sizeof(next_key));
2878 ++
2879 ++ while (len) {
2880 ++ i = min_t(size_t, len, BLAKE2S_HASH_SIZE);
2881 ++ /* output = HASHPRF(seed, RDSEED || ++counter) */
2882 ++ ++block.counter;
2883 ++ blake2s(buf, (u8 *)&block, seed, i, sizeof(block), sizeof(seed));
2884 ++ len -= i;
2885 ++ buf += i;
2886 ++ }
2887 +
2888 +-static void add_interrupt_bench(cycles_t start)
2889 +-{
2890 +- long delta = random_get_entropy() - start;
2891 +-
2892 +- /* Use a weighted moving average */
2893 +- delta = delta - ((avg_cycles + FIXED_1_2) >> AVG_SHIFT);
2894 +- avg_cycles += delta;
2895 +- /* And average deviation */
2896 +- delta = abs(delta) - ((avg_deviation + FIXED_1_2) >> AVG_SHIFT);
2897 +- avg_deviation += delta;
2898 ++ memzero_explicit(seed, sizeof(seed));
2899 ++ memzero_explicit(&block, sizeof(block));
2900 + }
2901 +-#else
2902 +-#define add_interrupt_bench(x)
2903 +-#endif
2904 +
2905 +-static __u32 get_reg(struct fast_pool *f, struct pt_regs *regs)
2906 +-{
2907 +- __u32 *ptr = (__u32 *) regs;
2908 +- unsigned int idx;
2909 +-
2910 +- if (regs == NULL)
2911 +- return 0;
2912 +- idx = READ_ONCE(f->reg_idx);
2913 +- if (idx >= sizeof(struct pt_regs) / sizeof(__u32))
2914 +- idx = 0;
2915 +- ptr += idx++;
2916 +- WRITE_ONCE(f->reg_idx, idx);
2917 +- return *ptr;
2918 +-}
2919 ++#define credit_init_bits(bits) if (!crng_ready()) _credit_init_bits(bits)
2920 +
2921 +-void add_interrupt_randomness(int irq, int irq_flags)
2922 ++static void __cold _credit_init_bits(size_t bits)
2923 + {
2924 +- struct entropy_store *r;
2925 +- struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness);
2926 +- struct pt_regs *regs = get_irq_regs();
2927 +- unsigned long now = jiffies;
2928 +- cycles_t cycles = random_get_entropy();
2929 +- __u32 c_high, j_high;
2930 +- __u64 ip;
2931 +- unsigned long seed;
2932 +- int credit = 0;
2933 +-
2934 +- if (cycles == 0)
2935 +- cycles = get_reg(fast_pool, regs);
2936 +- c_high = (sizeof(cycles) > 4) ? cycles >> 32 : 0;
2937 +- j_high = (sizeof(now) > 4) ? now >> 32 : 0;
2938 +- fast_pool->pool[0] ^= cycles ^ j_high ^ irq;
2939 +- fast_pool->pool[1] ^= now ^ c_high;
2940 +- ip = regs ? instruction_pointer(regs) : _RET_IP_;
2941 +- fast_pool->pool[2] ^= ip;
2942 +- fast_pool->pool[3] ^= (sizeof(ip) > 4) ? ip >> 32 :
2943 +- get_reg(fast_pool, regs);
2944 +-
2945 +- fast_mix(fast_pool);
2946 +- add_interrupt_bench(cycles);
2947 +-
2948 +- if (unlikely(crng_init == 0)) {
2949 +- if ((fast_pool->count >= 64) &&
2950 +- crng_fast_load((char *) fast_pool->pool,
2951 +- sizeof(fast_pool->pool))) {
2952 +- fast_pool->count = 0;
2953 +- fast_pool->last = now;
2954 +- }
2955 +- return;
2956 +- }
2957 ++ unsigned int new, orig, add;
2958 ++ unsigned long flags;
2959 +
2960 +- if ((fast_pool->count < 64) &&
2961 +- !time_after(now, fast_pool->last + HZ))
2962 ++ if (!bits)
2963 + return;
2964 +
2965 +- r = &input_pool;
2966 +- if (!spin_trylock(&r->lock))
2967 +- return;
2968 ++ add = min_t(size_t, bits, POOL_BITS);
2969 +
2970 +- fast_pool->last = now;
2971 +- __mix_pool_bytes(r, &fast_pool->pool, sizeof(fast_pool->pool));
2972 ++ do {
2973 ++ orig = READ_ONCE(input_pool.init_bits);
2974 ++ new = min_t(unsigned int, POOL_BITS, orig + add);
2975 ++ } while (cmpxchg(&input_pool.init_bits, orig, new) != orig);
2976 +
2977 +- /*
2978 +- * If we have architectural seed generator, produce a seed and
2979 +- * add it to the pool. For the sake of paranoia don't let the
2980 +- * architectural seed generator dominate the input from the
2981 +- * interrupt noise.
2982 +- */
2983 +- if (arch_get_random_seed_long(&seed)) {
2984 +- __mix_pool_bytes(r, &seed, sizeof(seed));
2985 +- credit = 1;
2986 ++ if (orig < POOL_READY_BITS && new >= POOL_READY_BITS) {
2987 ++ crng_reseed(); /* Sets crng_init to CRNG_READY under base_crng.lock. */
2988 ++ process_random_ready_list();
2989 ++ wake_up_interruptible(&crng_init_wait);
2990 ++ kill_fasync(&fasync, SIGIO, POLL_IN);
2991 ++ pr_notice("crng init done\n");
2992 ++ if (urandom_warning.missed)
2993 ++ pr_notice("%d urandom warning(s) missed due to ratelimiting\n",
2994 ++ urandom_warning.missed);
2995 ++ } else if (orig < POOL_EARLY_BITS && new >= POOL_EARLY_BITS) {
2996 ++ spin_lock_irqsave(&base_crng.lock, flags);
2997 ++ /* Check if crng_init is CRNG_EMPTY, to avoid race with crng_reseed(). */
2998 ++ if (crng_init == CRNG_EMPTY) {
2999 ++ extract_entropy(base_crng.key, sizeof(base_crng.key));
3000 ++ crng_init = CRNG_EARLY;
3001 ++ }
3002 ++ spin_unlock_irqrestore(&base_crng.lock, flags);
3003 + }
3004 +- spin_unlock(&r->lock);
3005 +-
3006 +- fast_pool->count = 0;
3007 +-
3008 +- /* award one bit for the contents of the fast pool */
3009 +- credit_entropy_bits(r, credit + 1);
3010 + }
3011 +-EXPORT_SYMBOL_GPL(add_interrupt_randomness);
3012 +
3013 +-#ifdef CONFIG_BLOCK
3014 +-void add_disk_randomness(struct gendisk *disk)
3015 +-{
3016 +- if (!disk || !disk->random)
3017 +- return;
3018 +- /* first major is 1, so we get >= 0x200 here */
3019 +- add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
3020 +- trace_add_disk_randomness(disk_devt(disk), ENTROPY_BITS(&input_pool));
3021 +-}
3022 +-EXPORT_SYMBOL_GPL(add_disk_randomness);
3023 +-#endif
3024 +
3025 +-/*********************************************************************
3026 ++/**********************************************************************
3027 + *
3028 +- * Entropy extraction routines
3029 ++ * Entropy collection routines.
3030 + *
3031 +- *********************************************************************/
3032 +-
3033 +-/*
3034 +- * This utility inline function is responsible for transferring entropy
3035 +- * from the primary pool to the secondary extraction pool. We make
3036 +- * sure we pull enough for a 'catastrophic reseed'.
3037 +- */
3038 +-static void _xfer_secondary_pool(struct entropy_store *r, size_t nbytes);
3039 +-static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes)
3040 +-{
3041 +- if (!r->pull ||
3042 +- r->entropy_count >= (nbytes << (ENTROPY_SHIFT + 3)) ||
3043 +- r->entropy_count > r->poolinfo->poolfracbits)
3044 +- return;
3045 +-
3046 +- _xfer_secondary_pool(r, nbytes);
3047 +-}
3048 ++ * The following exported functions are used for pushing entropy into
3049 ++ * the above entropy accumulation routines:
3050 ++ *
3051 ++ * void add_device_randomness(const void *buf, size_t len);
3052 ++ * void add_hwgenerator_randomness(const void *buf, size_t len, size_t entropy);
3053 ++ * void add_bootloader_randomness(const void *buf, size_t len);
3054 ++ * void add_interrupt_randomness(int irq);
3055 ++ * void add_input_randomness(unsigned int type, unsigned int code, unsigned int value);
3056 ++ * void add_disk_randomness(struct gendisk *disk);
3057 ++ *
3058 ++ * add_device_randomness() adds data to the input pool that
3059 ++ * is likely to differ between two devices (or possibly even per boot).
3060 ++ * This would be things like MAC addresses or serial numbers, or the
3061 ++ * read-out of the RTC. This does *not* credit any actual entropy to
3062 ++ * the pool, but it initializes the pool to different values for devices
3063 ++ * that might otherwise be identical and have very little entropy
3064 ++ * available to them (particularly common in the embedded world).
3065 ++ *
3066 ++ * add_hwgenerator_randomness() is for true hardware RNGs, and will credit
3067 ++ * entropy as specified by the caller. If the entropy pool is full it will
3068 ++ * block until more entropy is needed.
3069 ++ *
3070 ++ * add_bootloader_randomness() is called by bootloader drivers, such as EFI
3071 ++ * and device tree, and credits its input depending on whether or not the
3072 ++ * configuration option CONFIG_RANDOM_TRUST_BOOTLOADER is set.
3073 ++ *
3074 ++ * add_interrupt_randomness() uses the interrupt timing as random
3075 ++ * inputs to the entropy pool. Using the cycle counters and the irq source
3076 ++ * as inputs, it feeds the input pool roughly once a second or after 64
3077 ++ * interrupts, crediting 1 bit of entropy for whichever comes first.
3078 ++ *
3079 ++ * add_input_randomness() uses the input layer interrupt timing, as well
3080 ++ * as the event type information from the hardware.
3081 ++ *
3082 ++ * add_disk_randomness() uses what amounts to the seek time of block
3083 ++ * layer request events, on a per-disk_devt basis, as input to the
3084 ++ * entropy pool. Note that high-speed solid state drives with very low
3085 ++ * seek times do not make for good sources of entropy, as their seek
3086 ++ * times are usually fairly consistent.
3087 ++ *
3088 ++ * The last two routines try to estimate how many bits of entropy
3089 ++ * to credit. They do this by keeping track of the first and second
3090 ++ * order deltas of the event timings.
3091 ++ *
3092 ++ **********************************************************************/
3093 +
3094 +-static void _xfer_secondary_pool(struct entropy_store *r, size_t nbytes)
3095 ++static bool trust_cpu __initdata = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
3096 ++static bool trust_bootloader __initdata = IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER);
3097 ++static int __init parse_trust_cpu(char *arg)
3098 + {
3099 +- __u32 tmp[OUTPUT_POOL_WORDS];
3100 +-
3101 +- int bytes = nbytes;
3102 +-
3103 +- /* pull at least as much as a wakeup */
3104 +- bytes = max_t(int, bytes, random_read_wakeup_bits / 8);
3105 +- /* but never more than the buffer size */
3106 +- bytes = min_t(int, bytes, sizeof(tmp));
3107 +-
3108 +- trace_xfer_secondary_pool(r->name, bytes * 8, nbytes * 8,
3109 +- ENTROPY_BITS(r), ENTROPY_BITS(r->pull));
3110 +- bytes = extract_entropy(r->pull, tmp, bytes,
3111 +- random_read_wakeup_bits / 8, 0);
3112 +- mix_pool_bytes(r, tmp, bytes);
3113 +- credit_entropy_bits(r, bytes*8);
3114 ++ return kstrtobool(arg, &trust_cpu);
3115 + }
3116 +-
3117 +-/*
3118 +- * Used as a workqueue function so that when the input pool is getting
3119 +- * full, we can "spill over" some entropy to the output pools. That
3120 +- * way the output pools can store some of the excess entropy instead
3121 +- * of letting it go to waste.
3122 +- */
3123 +-static void push_to_pool(struct work_struct *work)
3124 ++static int __init parse_trust_bootloader(char *arg)
3125 + {
3126 +- struct entropy_store *r = container_of(work, struct entropy_store,
3127 +- push_work);
3128 +- BUG_ON(!r);
3129 +- _xfer_secondary_pool(r, random_read_wakeup_bits/8);
3130 +- trace_push_to_pool(r->name, r->entropy_count >> ENTROPY_SHIFT,
3131 +- r->pull->entropy_count >> ENTROPY_SHIFT);
3132 ++ return kstrtobool(arg, &trust_bootloader);
3133 + }
3134 ++early_param("random.trust_cpu", parse_trust_cpu);
3135 ++early_param("random.trust_bootloader", parse_trust_bootloader);
3136 +
3137 + /*
3138 +- * This function decides how many bytes to actually take from the
3139 +- * given pool, and also debits the entropy count accordingly.
3140 ++ * The first collection of entropy occurs at system boot while interrupts
3141 ++ * are still turned off. Here we push in latent entropy, RDSEED, a timestamp,
3142 ++ * utsname(), and the command line. Depending on the above configuration knob,
3143 ++ * RDSEED may be considered sufficient for initialization. Note that much
3144 ++ * earlier setup may already have pushed entropy into the input pool by the
3145 ++ * time we get here.
3146 + */
3147 +-static size_t account(struct entropy_store *r, size_t nbytes, int min,
3148 +- int reserved)
3149 ++int __init random_init(const char *command_line)
3150 + {
3151 +- int entropy_count, orig, have_bytes;
3152 +- size_t ibytes, nfrac;
3153 +-
3154 +- BUG_ON(r->entropy_count > r->poolinfo->poolfracbits);
3155 +-
3156 +- /* Can we pull enough? */
3157 +-retry:
3158 +- entropy_count = orig = READ_ONCE(r->entropy_count);
3159 +- ibytes = nbytes;
3160 +- /* never pull more than available */
3161 +- have_bytes = entropy_count >> (ENTROPY_SHIFT + 3);
3162 +-
3163 +- if ((have_bytes -= reserved) < 0)
3164 +- have_bytes = 0;
3165 +- ibytes = min_t(size_t, ibytes, have_bytes);
3166 +- if (ibytes < min)
3167 +- ibytes = 0;
3168 +-
3169 +- if (unlikely(entropy_count < 0)) {
3170 +- pr_warn("random: negative entropy count: pool %s count %d\n",
3171 +- r->name, entropy_count);
3172 +- WARN_ON(1);
3173 +- entropy_count = 0;
3174 +- }
3175 +- nfrac = ibytes << (ENTROPY_SHIFT + 3);
3176 +- if ((size_t) entropy_count > nfrac)
3177 +- entropy_count -= nfrac;
3178 +- else
3179 +- entropy_count = 0;
3180 ++ ktime_t now = ktime_get_real();
3181 ++ unsigned int i, arch_bits;
3182 ++ unsigned long entropy;
3183 +
3184 +- if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
3185 +- goto retry;
3186 ++#if defined(LATENT_ENTROPY_PLUGIN)
3187 ++ static const u8 compiletime_seed[BLAKE2S_BLOCK_SIZE] __initconst __latent_entropy;
3188 ++ _mix_pool_bytes(compiletime_seed, sizeof(compiletime_seed));
3189 ++#endif
3190 +
3191 +- trace_debit_entropy(r->name, 8 * ibytes);
3192 +- if (ibytes &&
3193 +- (r->entropy_count >> ENTROPY_SHIFT) < random_write_wakeup_bits) {
3194 +- wake_up_interruptible(&random_write_wait);
3195 +- kill_fasync(&fasync, SIGIO, POLL_OUT);
3196 ++ for (i = 0, arch_bits = BLAKE2S_BLOCK_SIZE * 8;
3197 ++ i < BLAKE2S_BLOCK_SIZE; i += sizeof(entropy)) {
3198 ++ if (!arch_get_random_seed_long_early(&entropy) &&
3199 ++ !arch_get_random_long_early(&entropy)) {
3200 ++ entropy = random_get_entropy();
3201 ++ arch_bits -= sizeof(entropy) * 8;
3202 ++ }
3203 ++ _mix_pool_bytes(&entropy, sizeof(entropy));
3204 + }
3205 ++ _mix_pool_bytes(&now, sizeof(now));
3206 ++ _mix_pool_bytes(utsname(), sizeof(*(utsname())));
3207 ++ _mix_pool_bytes(command_line, strlen(command_line));
3208 ++ add_latent_entropy();
3209 +
3210 +- return ibytes;
3211 ++ if (crng_ready())
3212 ++ crng_reseed();
3213 ++ else if (trust_cpu)
3214 ++ _credit_init_bits(arch_bits);
3215 ++
3216 ++ return 0;
3217 + }
3218 +
3219 + /*
3220 +- * This function does the actual extraction for extract_entropy and
3221 +- * extract_entropy_user.
3222 ++ * Add device- or boot-specific data to the input pool to help
3223 ++ * initialize it.
3224 + *
3225 +- * Note: we assume that .poolwords is a multiple of 16 words.
3226 ++ * None of this adds any entropy; it is meant to avoid the problem of
3227 ++ * the entropy pool having similar initial state across largely
3228 ++ * identical devices.
3229 + */
3230 +-static void extract_buf(struct entropy_store *r, __u8 *out)
3231 +-{
3232 +- int i;
3233 +- union {
3234 +- __u32 w[5];
3235 +- unsigned long l[LONGS(20)];
3236 +- } hash;
3237 +- __u32 workspace[SHA_WORKSPACE_WORDS];
3238 +- unsigned long flags;
3239 +-
3240 +- /*
3241 +- * If we have an architectural hardware random number
3242 +- * generator, use it for SHA's initial vector
3243 +- */
3244 +- sha_init(hash.w);
3245 +- for (i = 0; i < LONGS(20); i++) {
3246 +- unsigned long v;
3247 +- if (!arch_get_random_long(&v))
3248 +- break;
3249 +- hash.l[i] = v;
3250 +- }
3251 +-
3252 +- /* Generate a hash across the pool, 16 words (512 bits) at a time */
3253 +- spin_lock_irqsave(&r->lock, flags);
3254 +- for (i = 0; i < r->poolinfo->poolwords; i += 16)
3255 +- sha_transform(hash.w, (__u8 *)(r->pool + i), workspace);
3256 +-
3257 +- /*
3258 +- * We mix the hash back into the pool to prevent backtracking
3259 +- * attacks (where the attacker knows the state of the pool
3260 +- * plus the current outputs, and attempts to find previous
3261 +- * ouputs), unless the hash function can be inverted. By
3262 +- * mixing at least a SHA1 worth of hash data back, we make
3263 +- * brute-forcing the feedback as hard as brute-forcing the
3264 +- * hash.
3265 +- */
3266 +- __mix_pool_bytes(r, hash.w, sizeof(hash.w));
3267 +- spin_unlock_irqrestore(&r->lock, flags);
3268 +-
3269 +- memzero_explicit(workspace, sizeof(workspace));
3270 +-
3271 +- /*
3272 +- * In case the hash function has some recognizable output
3273 +- * pattern, we fold it in half. Thus, we always feed back
3274 +- * twice as much data as we output.
3275 +- */
3276 +- hash.w[0] ^= hash.w[3];
3277 +- hash.w[1] ^= hash.w[4];
3278 +- hash.w[2] ^= rol32(hash.w[2], 16);
3279 +-
3280 +- memcpy(out, &hash, EXTRACT_SIZE);
3281 +- memzero_explicit(&hash, sizeof(hash));
3282 +-}
3283 +-
3284 +-static ssize_t _extract_entropy(struct entropy_store *r, void *buf,
3285 +- size_t nbytes, int fips)
3286 ++void add_device_randomness(const void *buf, size_t len)
3287 + {
3288 +- ssize_t ret = 0, i;
3289 +- __u8 tmp[EXTRACT_SIZE];
3290 ++ unsigned long entropy = random_get_entropy();
3291 + unsigned long flags;
3292 +
3293 +- while (nbytes) {
3294 +- extract_buf(r, tmp);
3295 +-
3296 +- if (fips) {
3297 +- spin_lock_irqsave(&r->lock, flags);
3298 +- if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
3299 +- panic("Hardware RNG duplicated output!\n");
3300 +- memcpy(r->last_data, tmp, EXTRACT_SIZE);
3301 +- spin_unlock_irqrestore(&r->lock, flags);
3302 +- }
3303 +- i = min_t(int, nbytes, EXTRACT_SIZE);
3304 +- memcpy(buf, tmp, i);
3305 +- nbytes -= i;
3306 +- buf += i;
3307 +- ret += i;
3308 +- }
3309 +-
3310 +- /* Wipe data just returned from memory */
3311 +- memzero_explicit(tmp, sizeof(tmp));
3312 +-
3313 +- return ret;
3314 ++ spin_lock_irqsave(&input_pool.lock, flags);
3315 ++ _mix_pool_bytes(&entropy, sizeof(entropy));
3316 ++ _mix_pool_bytes(buf, len);
3317 ++ spin_unlock_irqrestore(&input_pool.lock, flags);
3318 + }
3319 ++EXPORT_SYMBOL(add_device_randomness);
3320 +
3321 + /*
3322 +- * This function extracts randomness from the "entropy pool", and
3323 +- * returns it in a buffer.
3324 +- *
3325 +- * The min parameter specifies the minimum amount we can pull before
3326 +- * failing to avoid races that defeat catastrophic reseeding while the
3327 +- * reserved parameter indicates how much entropy we must leave in the
3328 +- * pool after each pull to avoid starving other readers.
3329 ++ * Interface for in-kernel drivers of true hardware RNGs.
3330 ++ * Those devices may produce endless random bits and will be throttled
3331 ++ * when our pool is full.
3332 + */
3333 +-static ssize_t extract_entropy(struct entropy_store *r, void *buf,
3334 +- size_t nbytes, int min, int reserved)
3335 ++void add_hwgenerator_randomness(const void *buf, size_t len, size_t entropy)
3336 + {
3337 +- __u8 tmp[EXTRACT_SIZE];
3338 +- unsigned long flags;
3339 ++ mix_pool_bytes(buf, len);
3340 ++ credit_init_bits(entropy);
3341 +
3342 +- /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
3343 +- if (fips_enabled) {
3344 +- spin_lock_irqsave(&r->lock, flags);
3345 +- if (!r->last_data_init) {
3346 +- r->last_data_init = 1;
3347 +- spin_unlock_irqrestore(&r->lock, flags);
3348 +- trace_extract_entropy(r->name, EXTRACT_SIZE,
3349 +- ENTROPY_BITS(r), _RET_IP_);
3350 +- xfer_secondary_pool(r, EXTRACT_SIZE);
3351 +- extract_buf(r, tmp);
3352 +- spin_lock_irqsave(&r->lock, flags);
3353 +- memcpy(r->last_data, tmp, EXTRACT_SIZE);
3354 +- }
3355 +- spin_unlock_irqrestore(&r->lock, flags);
3356 +- }
3357 +-
3358 +- trace_extract_entropy(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_);
3359 +- xfer_secondary_pool(r, nbytes);
3360 +- nbytes = account(r, nbytes, min, reserved);
3361 +-
3362 +- return _extract_entropy(r, buf, nbytes, fips_enabled);
3363 ++ /*
3364 ++ * Throttle writing to once every CRNG_RESEED_INTERVAL, unless
3365 ++ * we're not yet initialized.
3366 ++ */
3367 ++ if (!kthread_should_stop() && crng_ready())
3368 ++ schedule_timeout_interruptible(CRNG_RESEED_INTERVAL);
3369 + }
3370 ++EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
3371 +
3372 + /*
3373 +- * This function extracts randomness from the "entropy pool", and
3374 +- * returns it in a userspace buffer.
3375 ++ * Handle random seed passed by bootloader, and credit it if
3376 ++ * CONFIG_RANDOM_TRUST_BOOTLOADER is set.
3377 + */
3378 +-static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
3379 +- size_t nbytes)
3380 ++void __init add_bootloader_randomness(const void *buf, size_t len)
3381 + {
3382 +- ssize_t ret = 0, i;
3383 +- __u8 tmp[EXTRACT_SIZE];
3384 +- int large_request = (nbytes > 256);
3385 +-
3386 +- trace_extract_entropy_user(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_);
3387 +- xfer_secondary_pool(r, nbytes);
3388 +- nbytes = account(r, nbytes, 0, 0);
3389 +-
3390 +- while (nbytes) {
3391 +- if (large_request && need_resched()) {
3392 +- if (signal_pending(current)) {
3393 +- if (ret == 0)
3394 +- ret = -ERESTARTSYS;
3395 +- break;
3396 +- }
3397 +- schedule();
3398 +- }
3399 +-
3400 +- extract_buf(r, tmp);
3401 +- i = min_t(int, nbytes, EXTRACT_SIZE);
3402 +- if (copy_to_user(buf, tmp, i)) {
3403 +- ret = -EFAULT;
3404 +- break;
3405 +- }
3406 +-
3407 +- nbytes -= i;
3408 +- buf += i;
3409 +- ret += i;
3410 +- }
3411 +-
3412 +- /* Wipe data just returned from memory */
3413 +- memzero_explicit(tmp, sizeof(tmp));
3414 +-
3415 +- return ret;
3416 ++ mix_pool_bytes(buf, len);
3417 ++ if (trust_bootloader)
3418 ++ credit_init_bits(len * 8);
3419 + }
3420 +
3421 +-#define warn_unseeded_randomness(previous) \
3422 +- _warn_unseeded_randomness(__func__, (void *) _RET_IP_, (previous))
3423 ++struct fast_pool {
3424 ++ struct work_struct mix;
3425 ++ unsigned long pool[4];
3426 ++ unsigned long last;
3427 ++ unsigned int count;
3428 ++};
3429 +
3430 +-static void _warn_unseeded_randomness(const char *func_name, void *caller,
3431 +- void **previous)
3432 +-{
3433 +-#ifdef CONFIG_WARN_ALL_UNSEEDED_RANDOM
3434 +- const bool print_once = false;
3435 ++static DEFINE_PER_CPU(struct fast_pool, irq_randomness) = {
3436 ++#ifdef CONFIG_64BIT
3437 ++#define FASTMIX_PERM SIPHASH_PERMUTATION
3438 ++ .pool = { SIPHASH_CONST_0, SIPHASH_CONST_1, SIPHASH_CONST_2, SIPHASH_CONST_3 }
3439 + #else
3440 +- static bool print_once __read_mostly;
3441 +-#endif
3442 +-
3443 +- if (print_once ||
3444 +- crng_ready() ||
3445 +- (previous && (caller == READ_ONCE(*previous))))
3446 +- return;
3447 +- WRITE_ONCE(*previous, caller);
3448 +-#ifndef CONFIG_WARN_ALL_UNSEEDED_RANDOM
3449 +- print_once = true;
3450 ++#define FASTMIX_PERM HSIPHASH_PERMUTATION
3451 ++ .pool = { HSIPHASH_CONST_0, HSIPHASH_CONST_1, HSIPHASH_CONST_2, HSIPHASH_CONST_3 }
3452 + #endif
3453 +- if (__ratelimit(&unseeded_warning))
3454 +- pr_notice("random: %s called from %pS with crng_init=%d\n",
3455 +- func_name, caller, crng_init);
3456 +-}
3457 ++};
3458 +
3459 + /*
3460 +- * This function is the exported kernel interface. It returns some
3461 +- * number of good random numbers, suitable for key generation, seeding
3462 +- * TCP sequence numbers, etc. It does not rely on the hardware random
3463 +- * number generator. For random bytes direct from the hardware RNG
3464 +- * (when available), use get_random_bytes_arch(). In order to ensure
3465 +- * that the randomness provided by this function is okay, the function
3466 +- * wait_for_random_bytes() should be called and return 0 at least once
3467 +- * at any point prior.
3468 ++ * This is [Half]SipHash-1-x, starting from an empty key. Because
3469 ++ * the key is fixed, it assumes that its inputs are non-malicious,
3470 ++ * and therefore this has no security on its own. s represents the
3471 ++ * four-word SipHash state, while v represents a two-word input.
3472 + */
3473 +-static void _get_random_bytes(void *buf, int nbytes)
3474 +-{
3475 +- __u8 tmp[CHACHA20_BLOCK_SIZE] __aligned(4);
3476 +-
3477 +- trace_get_random_bytes(nbytes, _RET_IP_);
3478 +-
3479 +- while (nbytes >= CHACHA20_BLOCK_SIZE) {
3480 +- extract_crng(buf);
3481 +- buf += CHACHA20_BLOCK_SIZE;
3482 +- nbytes -= CHACHA20_BLOCK_SIZE;
3483 +- }
3484 +-
3485 +- if (nbytes > 0) {
3486 +- extract_crng(tmp);
3487 +- memcpy(buf, tmp, nbytes);
3488 +- crng_backtrack_protect(tmp, nbytes);
3489 +- } else
3490 +- crng_backtrack_protect(tmp, CHACHA20_BLOCK_SIZE);
3491 +- memzero_explicit(tmp, sizeof(tmp));
3492 +-}
3493 +-
3494 +-void get_random_bytes(void *buf, int nbytes)
3495 ++static void fast_mix(unsigned long s[4], unsigned long v1, unsigned long v2)
3496 + {
3497 +- static void *previous;
3498 +-
3499 +- warn_unseeded_randomness(&previous);
3500 +- _get_random_bytes(buf, nbytes);
3501 ++ s[3] ^= v1;
3502 ++ FASTMIX_PERM(s[0], s[1], s[2], s[3]);
3503 ++ s[0] ^= v1;
3504 ++ s[3] ^= v2;
3505 ++ FASTMIX_PERM(s[0], s[1], s[2], s[3]);
3506 ++ s[0] ^= v2;
3507 + }
3508 +-EXPORT_SYMBOL(get_random_bytes);
3509 +-
3510 +
3511 ++#ifdef CONFIG_SMP
3512 + /*
3513 +- * Each time the timer fires, we expect that we got an unpredictable
3514 +- * jump in the cycle counter. Even if the timer is running on another
3515 +- * CPU, the timer activity will be touching the stack of the CPU that is
3516 +- * generating entropy..
3517 +- *
3518 +- * Note that we don't re-arm the timer in the timer itself - we are
3519 +- * happy to be scheduled away, since that just makes the load more
3520 +- * complex, but we do not want the timer to keep ticking unless the
3521 +- * entropy loop is running.
3522 +- *
3523 +- * So the re-arming always happens in the entropy loop itself.
3524 ++ * This function is called when the CPU has just come online, with
3525 ++ * entry CPUHP_AP_RANDOM_ONLINE, just after CPUHP_AP_WORKQUEUE_ONLINE.
3526 + */
3527 +-static void entropy_timer(struct timer_list *t)
3528 ++int __cold random_online_cpu(unsigned int cpu)
3529 + {
3530 +- credit_entropy_bits(&input_pool, 1);
3531 ++ /*
3532 ++ * During CPU shutdown and before CPU onlining, add_interrupt_
3533 ++ * randomness() may schedule mix_interrupt_randomness(), and
3534 ++ * set the MIX_INFLIGHT flag. However, because the worker can
3535 ++ * be scheduled on a different CPU during this period, that
3536 ++ * flag will never be cleared. For that reason, we zero out
3537 ++ * the flag here, which runs just after workqueues are onlined
3538 ++ * for the CPU again. This also has the effect of setting the
3539 ++ * irq randomness count to zero so that new accumulated irqs
3540 ++ * are fresh.
3541 ++ */
3542 ++ per_cpu_ptr(&irq_randomness, cpu)->count = 0;
3543 ++ return 0;
3544 + }
3545 ++#endif
3546 +
3547 +-/*
3548 +- * If we have an actual cycle counter, see if we can
3549 +- * generate enough entropy with timing noise
3550 +- */
3551 +-static void try_to_generate_entropy(void)
3552 ++static void mix_interrupt_randomness(struct work_struct *work)
3553 + {
3554 +- struct {
3555 +- unsigned long now;
3556 +- struct timer_list timer;
3557 +- } stack;
3558 +-
3559 +- stack.now = random_get_entropy();
3560 ++ struct fast_pool *fast_pool = container_of(work, struct fast_pool, mix);
3561 ++ /*
3562 ++ * The size of the copied stack pool is explicitly 2 longs so that we
3563 ++ * only ever ingest half of the siphash output each time, retaining
3564 ++ * the other half as the next "key" that carries over. The entropy is
3565 ++ * supposed to be sufficiently dispersed between bits so on average
3566 ++ * we don't wind up "losing" some.
3567 ++ */
3568 ++ unsigned long pool[2];
3569 ++ unsigned int count;
3570 +
3571 +- /* Slow counter - or none. Don't even bother */
3572 +- if (stack.now == random_get_entropy())
3573 ++ /* Check to see if we're running on the wrong CPU due to hotplug. */
3574 ++ local_irq_disable();
3575 ++ if (fast_pool != this_cpu_ptr(&irq_randomness)) {
3576 ++ local_irq_enable();
3577 + return;
3578 +-
3579 +- timer_setup_on_stack(&stack.timer, entropy_timer, 0);
3580 +- while (!crng_ready()) {
3581 +- if (!timer_pending(&stack.timer))
3582 +- mod_timer(&stack.timer, jiffies+1);
3583 +- mix_pool_bytes(&input_pool, &stack.now, sizeof(stack.now));
3584 +- schedule();
3585 +- stack.now = random_get_entropy();
3586 + }
3587 +
3588 +- del_timer_sync(&stack.timer);
3589 +- destroy_timer_on_stack(&stack.timer);
3590 +- mix_pool_bytes(&input_pool, &stack.now, sizeof(stack.now));
3591 +-}
3592 +-
3593 +-/*
3594 +- * Wait for the urandom pool to be seeded and thus guaranteed to supply
3595 +- * cryptographically secure random numbers. This applies to: the /dev/urandom
3596 +- * device, the get_random_bytes function, and the get_random_{u32,u64,int,long}
3597 +- * family of functions. Using any of these functions without first calling
3598 +- * this function forfeits the guarantee of security.
3599 +- *
3600 +- * Returns: 0 if the urandom pool has been seeded.
3601 +- * -ERESTARTSYS if the function was interrupted by a signal.
3602 +- */
3603 +-int wait_for_random_bytes(void)
3604 +-{
3605 +- if (likely(crng_ready()))
3606 +- return 0;
3607 +-
3608 +- do {
3609 +- int ret;
3610 +- ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ);
3611 +- if (ret)
3612 +- return ret > 0 ? 0 : ret;
3613 ++ /*
3614 ++ * Copy the pool to the stack so that the mixer always has a
3615 ++ * consistent view, before we reenable irqs again.
3616 ++ */
3617 ++ memcpy(pool, fast_pool->pool, sizeof(pool));
3618 ++ count = fast_pool->count;
3619 ++ fast_pool->count = 0;
3620 ++ fast_pool->last = jiffies;
3621 ++ local_irq_enable();
3622 +
3623 +- try_to_generate_entropy();
3624 +- } while (!crng_ready());
3625 ++ mix_pool_bytes(pool, sizeof(pool));
3626 ++ credit_init_bits(max(1u, (count & U16_MAX) / 64));
3627 +
3628 +- return 0;
3629 ++ memzero_explicit(pool, sizeof(pool));
3630 + }
3631 +-EXPORT_SYMBOL(wait_for_random_bytes);
3632 +
3633 +-/*
3634 +- * Returns whether or not the urandom pool has been seeded and thus guaranteed
3635 +- * to supply cryptographically secure random numbers. This applies to: the
3636 +- * /dev/urandom device, the get_random_bytes function, and the get_random_{u32,
3637 +- * ,u64,int,long} family of functions.
3638 +- *
3639 +- * Returns: true if the urandom pool has been seeded.
3640 +- * false if the urandom pool has not been seeded.
3641 +- */
3642 +-bool rng_is_initialized(void)
3643 ++void add_interrupt_randomness(int irq)
3644 + {
3645 +- return crng_ready();
3646 +-}
3647 +-EXPORT_SYMBOL(rng_is_initialized);
3648 ++ enum { MIX_INFLIGHT = 1U << 31 };
3649 ++ unsigned long entropy = random_get_entropy();
3650 ++ struct fast_pool *fast_pool = this_cpu_ptr(&irq_randomness);
3651 ++ struct pt_regs *regs = get_irq_regs();
3652 ++ unsigned int new_count;
3653 +
3654 +-/*
3655 +- * Add a callback function that will be invoked when the nonblocking
3656 +- * pool is initialised.
3657 +- *
3658 +- * returns: 0 if callback is successfully added
3659 +- * -EALREADY if pool is already initialised (callback not called)
3660 +- * -ENOENT if module for callback is not alive
3661 +- */
3662 +-int add_random_ready_callback(struct random_ready_callback *rdy)
3663 +-{
3664 +- struct module *owner;
3665 +- unsigned long flags;
3666 +- int err = -EALREADY;
3667 +-
3668 +- if (crng_ready())
3669 +- return err;
3670 +-
3671 +- owner = rdy->owner;
3672 +- if (!try_module_get(owner))
3673 +- return -ENOENT;
3674 +-
3675 +- spin_lock_irqsave(&random_ready_list_lock, flags);
3676 +- if (crng_ready())
3677 +- goto out;
3678 +-
3679 +- owner = NULL;
3680 +-
3681 +- list_add(&rdy->list, &random_ready_list);
3682 +- err = 0;
3683 ++ fast_mix(fast_pool->pool, entropy,
3684 ++ (regs ? instruction_pointer(regs) : _RET_IP_) ^ swab(irq));
3685 ++ new_count = ++fast_pool->count;
3686 +
3687 +-out:
3688 +- spin_unlock_irqrestore(&random_ready_list_lock, flags);
3689 ++ if (new_count & MIX_INFLIGHT)
3690 ++ return;
3691 +
3692 +- module_put(owner);
3693 ++ if (new_count < 64 && !time_is_before_jiffies(fast_pool->last + HZ))
3694 ++ return;
3695 +
3696 +- return err;
3697 ++ if (unlikely(!fast_pool->mix.func))
3698 ++ INIT_WORK(&fast_pool->mix, mix_interrupt_randomness);
3699 ++ fast_pool->count |= MIX_INFLIGHT;
3700 ++ queue_work_on(raw_smp_processor_id(), system_highpri_wq, &fast_pool->mix);
3701 + }
3702 +-EXPORT_SYMBOL(add_random_ready_callback);
3703 ++EXPORT_SYMBOL_GPL(add_interrupt_randomness);
3704 ++
3705 ++/* There is one of these per entropy source */
3706 ++struct timer_rand_state {
3707 ++ unsigned long last_time;
3708 ++ long last_delta, last_delta2;
3709 ++};
3710 +
3711 + /*
3712 +- * Delete a previously registered readiness callback function.
3713 ++ * This function adds entropy to the entropy "pool" by using timing
3714 ++ * delays. It uses the timer_rand_state structure to make an estimate
3715 ++ * of how many bits of entropy this call has added to the pool. The
3716 ++ * value "num" is also added to the pool; it should somehow describe
3717 ++ * the type of event that just happened.
3718 + */
3719 +-void del_random_ready_callback(struct random_ready_callback *rdy)
3720 ++static void add_timer_randomness(struct timer_rand_state *state, unsigned int num)
3721 + {
3722 +- unsigned long flags;
3723 +- struct module *owner = NULL;
3724 ++ unsigned long entropy = random_get_entropy(), now = jiffies, flags;
3725 ++ long delta, delta2, delta3;
3726 ++ unsigned int bits;
3727 +
3728 +- spin_lock_irqsave(&random_ready_list_lock, flags);
3729 +- if (!list_empty(&rdy->list)) {
3730 +- list_del_init(&rdy->list);
3731 +- owner = rdy->owner;
3732 ++ /*
3733 ++ * If we're in a hard IRQ, add_interrupt_randomness() will be called
3734 ++ * sometime after, so mix into the fast pool.
3735 ++ */
3736 ++ if (in_irq()) {
3737 ++ fast_mix(this_cpu_ptr(&irq_randomness)->pool, entropy, num);
3738 ++ } else {
3739 ++ spin_lock_irqsave(&input_pool.lock, flags);
3740 ++ _mix_pool_bytes(&entropy, sizeof(entropy));
3741 ++ _mix_pool_bytes(&num, sizeof(num));
3742 ++ spin_unlock_irqrestore(&input_pool.lock, flags);
3743 + }
3744 +- spin_unlock_irqrestore(&random_ready_list_lock, flags);
3745 +
3746 +- module_put(owner);
3747 +-}
3748 +-EXPORT_SYMBOL(del_random_ready_callback);
3749 ++ if (crng_ready())
3750 ++ return;
3751 +
3752 +-/*
3753 +- * This function will use the architecture-specific hardware random
3754 +- * number generator if it is available. The arch-specific hw RNG will
3755 +- * almost certainly be faster than what we can do in software, but it
3756 +- * is impossible to verify that it is implemented securely (as
3757 +- * opposed, to, say, the AES encryption of a sequence number using a
3758 +- * key known by the NSA). So it's useful if we need the speed, but
3759 +- * only if we're willing to trust the hardware manufacturer not to
3760 +- * have put in a back door.
3761 +- *
3762 +- * Return number of bytes filled in.
3763 +- */
3764 +-int __must_check get_random_bytes_arch(void *buf, int nbytes)
3765 +-{
3766 +- int left = nbytes;
3767 +- char *p = buf;
3768 ++ /*
3769 ++ * Calculate number of bits of randomness we probably added.
3770 ++ * We take into account the first, second and third-order deltas
3771 ++ * in order to make our estimate.
3772 ++ */
3773 ++ delta = now - READ_ONCE(state->last_time);
3774 ++ WRITE_ONCE(state->last_time, now);
3775 +
3776 +- trace_get_random_bytes_arch(left, _RET_IP_);
3777 +- while (left) {
3778 +- unsigned long v;
3779 +- int chunk = min_t(int, left, sizeof(unsigned long));
3780 ++ delta2 = delta - READ_ONCE(state->last_delta);
3781 ++ WRITE_ONCE(state->last_delta, delta);
3782 +
3783 +- if (!arch_get_random_long(&v))
3784 +- break;
3785 ++ delta3 = delta2 - READ_ONCE(state->last_delta2);
3786 ++ WRITE_ONCE(state->last_delta2, delta2);
3787 +
3788 +- memcpy(p, &v, chunk);
3789 +- p += chunk;
3790 +- left -= chunk;
3791 +- }
3792 ++ if (delta < 0)
3793 ++ delta = -delta;
3794 ++ if (delta2 < 0)
3795 ++ delta2 = -delta2;
3796 ++ if (delta3 < 0)
3797 ++ delta3 = -delta3;
3798 ++ if (delta > delta2)
3799 ++ delta = delta2;
3800 ++ if (delta > delta3)
3801 ++ delta = delta3;
3802 +
3803 +- return nbytes - left;
3804 ++ /*
3805 ++ * delta is now minimum absolute delta. Round down by 1 bit
3806 ++ * on general principles, and limit entropy estimate to 11 bits.
3807 ++ */
3808 ++ bits = min(fls(delta >> 1), 11);
3809 ++
3810 ++ /*
3811 ++ * As mentioned above, if we're in a hard IRQ, add_interrupt_randomness()
3812 ++ * will run after this, which uses a different crediting scheme of 1 bit
3813 ++ * per every 64 interrupts. In order to let that function do accounting
3814 ++ * close to the one in this function, we credit a full 64/64 bit per bit,
3815 ++ * and then subtract one to account for the extra one added.
3816 ++ */
3817 ++ if (in_irq())
3818 ++ this_cpu_ptr(&irq_randomness)->count += max(1u, bits * 64) - 1;
3819 ++ else
3820 ++ _credit_init_bits(bits);
3821 + }
3822 +-EXPORT_SYMBOL(get_random_bytes_arch);
3823 +
3824 +-/*
3825 +- * init_std_data - initialize pool with system data
3826 +- *
3827 +- * @r: pool to initialize
3828 +- *
3829 +- * This function clears the pool's entropy count and mixes some system
3830 +- * data into the pool to prepare it for use. The pool is not cleared
3831 +- * as that can only decrease the entropy in the pool.
3832 +- */
3833 +-static void init_std_data(struct entropy_store *r)
3834 ++void add_input_randomness(unsigned int type, unsigned int code, unsigned int value)
3835 + {
3836 +- int i;
3837 +- ktime_t now = ktime_get_real();
3838 +- unsigned long rv;
3839 +-
3840 +- r->last_pulled = jiffies;
3841 +- mix_pool_bytes(r, &now, sizeof(now));
3842 +- for (i = r->poolinfo->poolbytes; i > 0; i -= sizeof(rv)) {
3843 +- if (!arch_get_random_seed_long(&rv) &&
3844 +- !arch_get_random_long(&rv))
3845 +- rv = random_get_entropy();
3846 +- mix_pool_bytes(r, &rv, sizeof(rv));
3847 +- }
3848 +- mix_pool_bytes(r, utsname(), sizeof(*(utsname())));
3849 ++ static unsigned char last_value;
3850 ++ static struct timer_rand_state input_timer_state = { INITIAL_JIFFIES };
3851 ++
3852 ++ /* Ignore autorepeat and the like. */
3853 ++ if (value == last_value)
3854 ++ return;
3855 ++
3856 ++ last_value = value;
3857 ++ add_timer_randomness(&input_timer_state,
3858 ++ (type << 4) ^ code ^ (code >> 4) ^ value);
3859 + }
3860 ++EXPORT_SYMBOL_GPL(add_input_randomness);
3861 +
3862 +-/*
3863 +- * Note that setup_arch() may call add_device_randomness()
3864 +- * long before we get here. This allows seeding of the pools
3865 +- * with some platform dependent data very early in the boot
3866 +- * process. But it limits our options here. We must use
3867 +- * statically allocated structures that already have all
3868 +- * initializations complete at compile time. We should also
3869 +- * take care not to overwrite the precious per platform data
3870 +- * we were given.
3871 +- */
3872 +-static int rand_initialize(void)
3873 ++#ifdef CONFIG_BLOCK
3874 ++void add_disk_randomness(struct gendisk *disk)
3875 + {
3876 +- init_std_data(&input_pool);
3877 +- init_std_data(&blocking_pool);
3878 +- crng_initialize(&primary_crng);
3879 +- crng_global_init_time = jiffies;
3880 +- if (ratelimit_disable) {
3881 +- urandom_warning.interval = 0;
3882 +- unseeded_warning.interval = 0;
3883 +- }
3884 +- return 0;
3885 ++ if (!disk || !disk->random)
3886 ++ return;
3887 ++ /* First major is 1, so we get >= 0x200 here. */
3888 ++ add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
3889 + }
3890 +-early_initcall(rand_initialize);
3891 ++EXPORT_SYMBOL_GPL(add_disk_randomness);
3892 +
3893 +-#ifdef CONFIG_BLOCK
3894 +-void rand_initialize_disk(struct gendisk *disk)
3895 ++void __cold rand_initialize_disk(struct gendisk *disk)
3896 + {
3897 + struct timer_rand_state *state;
3898 +
3899 +@@ -1910,134 +1126,189 @@ void rand_initialize_disk(struct gendisk *disk)
3900 + }
3901 + #endif
3902 +
3903 +-static ssize_t
3904 +-_random_read(int nonblock, char __user *buf, size_t nbytes)
3905 ++/*
3906 ++ * Each time the timer fires, we expect that we got an unpredictable
3907 ++ * jump in the cycle counter. Even if the timer is running on another
3908 ++ * CPU, the timer activity will be touching the stack of the CPU that is
3909 ++ * generating entropy..
3910 ++ *
3911 ++ * Note that we don't re-arm the timer in the timer itself - we are
3912 ++ * happy to be scheduled away, since that just makes the load more
3913 ++ * complex, but we do not want the timer to keep ticking unless the
3914 ++ * entropy loop is running.
3915 ++ *
3916 ++ * So the re-arming always happens in the entropy loop itself.
3917 ++ */
3918 ++static void __cold entropy_timer(struct timer_list *t)
3919 + {
3920 +- ssize_t n;
3921 ++ credit_init_bits(1);
3922 ++}
3923 +
3924 +- if (nbytes == 0)
3925 +- return 0;
3926 ++/*
3927 ++ * If we have an actual cycle counter, see if we can
3928 ++ * generate enough entropy with timing noise
3929 ++ */
3930 ++static void __cold try_to_generate_entropy(void)
3931 ++{
3932 ++ struct {
3933 ++ unsigned long entropy;
3934 ++ struct timer_list timer;
3935 ++ } stack;
3936 +
3937 +- nbytes = min_t(size_t, nbytes, SEC_XFER_SIZE);
3938 +- while (1) {
3939 +- n = extract_entropy_user(&blocking_pool, buf, nbytes);
3940 +- if (n < 0)
3941 +- return n;
3942 +- trace_random_read(n*8, (nbytes-n)*8,
3943 +- ENTROPY_BITS(&blocking_pool),
3944 +- ENTROPY_BITS(&input_pool));
3945 +- if (n > 0)
3946 +- return n;
3947 +-
3948 +- /* Pool is (near) empty. Maybe wait and retry. */
3949 +- if (nonblock)
3950 +- return -EAGAIN;
3951 ++ stack.entropy = random_get_entropy();
3952 ++
3953 ++ /* Slow counter - or none. Don't even bother */
3954 ++ if (stack.entropy == random_get_entropy())
3955 ++ return;
3956 +
3957 +- wait_event_interruptible(random_read_wait,
3958 +- ENTROPY_BITS(&input_pool) >=
3959 +- random_read_wakeup_bits);
3960 +- if (signal_pending(current))
3961 +- return -ERESTARTSYS;
3962 ++ timer_setup_on_stack(&stack.timer, entropy_timer, 0);
3963 ++ while (!crng_ready() && !signal_pending(current)) {
3964 ++ if (!timer_pending(&stack.timer))
3965 ++ mod_timer(&stack.timer, jiffies + 1);
3966 ++ mix_pool_bytes(&stack.entropy, sizeof(stack.entropy));
3967 ++ schedule();
3968 ++ stack.entropy = random_get_entropy();
3969 + }
3970 +-}
3971 +
3972 +-static ssize_t
3973 +-random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
3974 +-{
3975 +- return _random_read(file->f_flags & O_NONBLOCK, buf, nbytes);
3976 ++ del_timer_sync(&stack.timer);
3977 ++ destroy_timer_on_stack(&stack.timer);
3978 ++ mix_pool_bytes(&stack.entropy, sizeof(stack.entropy));
3979 + }
3980 +
3981 +-static ssize_t
3982 +-urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
3983 ++
3984 ++/**********************************************************************
3985 ++ *
3986 ++ * Userspace reader/writer interfaces.
3987 ++ *
3988 ++ * getrandom(2) is the primary modern interface into the RNG and should
3989 ++ * be used in preference to anything else.
3990 ++ *
3991 ++ * Reading from /dev/random has the same functionality as calling
3992 ++ * getrandom(2) with flags=0. In earlier versions, however, it had
3993 ++ * vastly different semantics and should therefore be avoided, to
3994 ++ * prevent backwards compatibility issues.
3995 ++ *
3996 ++ * Reading from /dev/urandom has the same functionality as calling
3997 ++ * getrandom(2) with flags=GRND_INSECURE. Because it does not block
3998 ++ * waiting for the RNG to be ready, it should not be used.
3999 ++ *
4000 ++ * Writing to either /dev/random or /dev/urandom adds entropy to
4001 ++ * the input pool but does not credit it.
4002 ++ *
4003 ++ * Polling on /dev/random indicates when the RNG is initialized, on
4004 ++ * the read side, and when it wants new entropy, on the write side.
4005 ++ *
4006 ++ * Both /dev/random and /dev/urandom have the same set of ioctls for
4007 ++ * adding entropy, getting the entropy count, zeroing the count, and
4008 ++ * reseeding the crng.
4009 ++ *
4010 ++ **********************************************************************/
4011 ++
4012 ++SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags)
4013 + {
4014 +- unsigned long flags;
4015 +- static int maxwarn = 10;
4016 ++ struct iov_iter iter;
4017 ++ struct iovec iov;
4018 + int ret;
4019 +
4020 +- if (!crng_ready() && maxwarn > 0) {
4021 +- maxwarn--;
4022 +- if (__ratelimit(&urandom_warning))
4023 +- printk(KERN_NOTICE "random: %s: uninitialized "
4024 +- "urandom read (%zd bytes read)\n",
4025 +- current->comm, nbytes);
4026 +- spin_lock_irqsave(&primary_crng.lock, flags);
4027 +- crng_init_cnt = 0;
4028 +- spin_unlock_irqrestore(&primary_crng.lock, flags);
4029 ++ if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE))
4030 ++ return -EINVAL;
4031 ++
4032 ++ /*
4033 ++ * Requesting insecure and blocking randomness at the same time makes
4034 ++ * no sense.
4035 ++ */
4036 ++ if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM))
4037 ++ return -EINVAL;
4038 ++
4039 ++ if (!crng_ready() && !(flags & GRND_INSECURE)) {
4040 ++ if (flags & GRND_NONBLOCK)
4041 ++ return -EAGAIN;
4042 ++ ret = wait_for_random_bytes();
4043 ++ if (unlikely(ret))
4044 ++ return ret;
4045 + }
4046 +- nbytes = min_t(size_t, nbytes, INT_MAX >> (ENTROPY_SHIFT + 3));
4047 +- ret = extract_crng_user(buf, nbytes);
4048 +- trace_urandom_read(8 * nbytes, 0, ENTROPY_BITS(&input_pool));
4049 +- return ret;
4050 ++
4051 ++ ret = import_single_range(READ, ubuf, len, &iov, &iter);
4052 ++ if (unlikely(ret))
4053 ++ return ret;
4054 ++ return get_random_bytes_user(&iter);
4055 + }
4056 +
4057 +-static __poll_t
4058 +-random_poll(struct file *file, poll_table * wait)
4059 ++static __poll_t random_poll(struct file *file, poll_table *wait)
4060 + {
4061 +- __poll_t mask;
4062 +-
4063 +- poll_wait(file, &random_read_wait, wait);
4064 +- poll_wait(file, &random_write_wait, wait);
4065 +- mask = 0;
4066 +- if (ENTROPY_BITS(&input_pool) >= random_read_wakeup_bits)
4067 +- mask |= EPOLLIN | EPOLLRDNORM;
4068 +- if (ENTROPY_BITS(&input_pool) < random_write_wakeup_bits)
4069 +- mask |= EPOLLOUT | EPOLLWRNORM;
4070 +- return mask;
4071 ++ poll_wait(file, &crng_init_wait, wait);
4072 ++ return crng_ready() ? EPOLLIN | EPOLLRDNORM : EPOLLOUT | EPOLLWRNORM;
4073 + }
4074 +
4075 +-static int
4076 +-write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
4077 ++static ssize_t write_pool_user(struct iov_iter *iter)
4078 + {
4079 +- size_t bytes;
4080 +- __u32 t, buf[16];
4081 +- const char __user *p = buffer;
4082 ++ u8 block[BLAKE2S_BLOCK_SIZE];
4083 ++ ssize_t ret = 0;
4084 ++ size_t copied;
4085 +
4086 +- while (count > 0) {
4087 +- int b, i = 0;
4088 ++ if (unlikely(!iov_iter_count(iter)))
4089 ++ return 0;
4090 +
4091 +- bytes = min(count, sizeof(buf));
4092 +- if (copy_from_user(&buf, p, bytes))
4093 +- return -EFAULT;
4094 ++ for (;;) {
4095 ++ copied = copy_from_iter(block, sizeof(block), iter);
4096 ++ ret += copied;
4097 ++ mix_pool_bytes(block, copied);
4098 ++ if (!iov_iter_count(iter) || copied != sizeof(block))
4099 ++ break;
4100 +
4101 +- for (b = bytes ; b > 0 ; b -= sizeof(__u32), i++) {
4102 +- if (!arch_get_random_int(&t))
4103 ++ BUILD_BUG_ON(PAGE_SIZE % sizeof(block) != 0);
4104 ++ if (ret % PAGE_SIZE == 0) {
4105 ++ if (signal_pending(current))
4106 + break;
4107 +- buf[i] ^= t;
4108 ++ cond_resched();
4109 + }
4110 ++ }
4111 ++
4112 ++ memzero_explicit(block, sizeof(block));
4113 ++ return ret ? ret : -EFAULT;
4114 ++}
4115 ++
4116 ++static ssize_t random_write_iter(struct kiocb *kiocb, struct iov_iter *iter)
4117 ++{
4118 ++ return write_pool_user(iter);
4119 ++}
4120 +
4121 +- count -= bytes;
4122 +- p += bytes;
4123 ++static ssize_t urandom_read_iter(struct kiocb *kiocb, struct iov_iter *iter)
4124 ++{
4125 ++ static int maxwarn = 10;
4126 +
4127 +- mix_pool_bytes(r, buf, bytes);
4128 +- cond_resched();
4129 ++ if (!crng_ready()) {
4130 ++ if (!ratelimit_disable && maxwarn <= 0)
4131 ++ ++urandom_warning.missed;
4132 ++ else if (ratelimit_disable || __ratelimit(&urandom_warning)) {
4133 ++ --maxwarn;
4134 ++ pr_notice("%s: uninitialized urandom read (%zu bytes read)\n",
4135 ++ current->comm, iov_iter_count(iter));
4136 ++ }
4137 + }
4138 +
4139 +- return 0;
4140 ++ return get_random_bytes_user(iter);
4141 + }
4142 +
4143 +-static ssize_t random_write(struct file *file, const char __user *buffer,
4144 +- size_t count, loff_t *ppos)
4145 ++static ssize_t random_read_iter(struct kiocb *kiocb, struct iov_iter *iter)
4146 + {
4147 +- size_t ret;
4148 ++ int ret;
4149 +
4150 +- ret = write_pool(&input_pool, buffer, count);
4151 +- if (ret)
4152 ++ ret = wait_for_random_bytes();
4153 ++ if (ret != 0)
4154 + return ret;
4155 +-
4156 +- return (ssize_t)count;
4157 ++ return get_random_bytes_user(iter);
4158 + }
4159 +
4160 + static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
4161 + {
4162 +- int size, ent_count;
4163 + int __user *p = (int __user *)arg;
4164 +- int retval;
4165 ++ int ent_count;
4166 +
4167 + switch (cmd) {
4168 + case RNDGETENTCNT:
4169 +- /* inherently racy, no point locking */
4170 +- ent_count = ENTROPY_BITS(&input_pool);
4171 +- if (put_user(ent_count, p))
4172 ++ /* Inherently racy, no point locking. */
4173 ++ if (put_user(input_pool.init_bits, p))
4174 + return -EFAULT;
4175 + return 0;
4176 + case RNDADDTOENTCNT:
4177 +@@ -2045,39 +1316,48 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
4178 + return -EPERM;
4179 + if (get_user(ent_count, p))
4180 + return -EFAULT;
4181 +- return credit_entropy_bits_safe(&input_pool, ent_count);
4182 +- case RNDADDENTROPY:
4183 ++ if (ent_count < 0)
4184 ++ return -EINVAL;
4185 ++ credit_init_bits(ent_count);
4186 ++ return 0;
4187 ++ case RNDADDENTROPY: {
4188 ++ struct iov_iter iter;
4189 ++ struct iovec iov;
4190 ++ ssize_t ret;
4191 ++ int len;
4192 ++
4193 + if (!capable(CAP_SYS_ADMIN))
4194 + return -EPERM;
4195 + if (get_user(ent_count, p++))
4196 + return -EFAULT;
4197 + if (ent_count < 0)
4198 + return -EINVAL;
4199 +- if (get_user(size, p++))
4200 ++ if (get_user(len, p++))
4201 ++ return -EFAULT;
4202 ++ ret = import_single_range(WRITE, p, len, &iov, &iter);
4203 ++ if (unlikely(ret))
4204 ++ return ret;
4205 ++ ret = write_pool_user(&iter);
4206 ++ if (unlikely(ret < 0))
4207 ++ return ret;
4208 ++ /* Since we're crediting, enforce that it was all written into the pool. */
4209 ++ if (unlikely(ret != len))
4210 + return -EFAULT;
4211 +- retval = write_pool(&input_pool, (const char __user *)p,
4212 +- size);
4213 +- if (retval < 0)
4214 +- return retval;
4215 +- return credit_entropy_bits_safe(&input_pool, ent_count);
4216 ++ credit_init_bits(ent_count);
4217 ++ return 0;
4218 ++ }
4219 + case RNDZAPENTCNT:
4220 + case RNDCLEARPOOL:
4221 +- /*
4222 +- * Clear the entropy pool counters. We no longer clear
4223 +- * the entropy pool, as that's silly.
4224 +- */
4225 ++ /* No longer has any effect. */
4226 + if (!capable(CAP_SYS_ADMIN))
4227 + return -EPERM;
4228 +- input_pool.entropy_count = 0;
4229 +- blocking_pool.entropy_count = 0;
4230 + return 0;
4231 + case RNDRESEEDCRNG:
4232 + if (!capable(CAP_SYS_ADMIN))
4233 + return -EPERM;
4234 +- if (crng_init < 2)
4235 ++ if (!crng_ready())
4236 + return -ENODATA;
4237 +- crng_reseed(&primary_crng, &input_pool);
4238 +- WRITE_ONCE(crng_global_init_time, jiffies - 1);
4239 ++ crng_reseed();
4240 + return 0;
4241 + default:
4242 + return -EINVAL;
4243 +@@ -2090,49 +1370,54 @@ static int random_fasync(int fd, struct file *filp, int on)
4244 + }
4245 +
4246 + const struct file_operations random_fops = {
4247 +- .read = random_read,
4248 +- .write = random_write,
4249 +- .poll = random_poll,
4250 ++ .read_iter = random_read_iter,
4251 ++ .write_iter = random_write_iter,
4252 ++ .poll = random_poll,
4253 + .unlocked_ioctl = random_ioctl,
4254 + .fasync = random_fasync,
4255 + .llseek = noop_llseek,
4256 ++ .splice_read = generic_file_splice_read,
4257 ++ .splice_write = iter_file_splice_write,
4258 + };
4259 +
4260 + const struct file_operations urandom_fops = {
4261 +- .read = urandom_read,
4262 +- .write = random_write,
4263 ++ .read_iter = urandom_read_iter,
4264 ++ .write_iter = random_write_iter,
4265 + .unlocked_ioctl = random_ioctl,
4266 + .fasync = random_fasync,
4267 + .llseek = noop_llseek,
4268 ++ .splice_read = generic_file_splice_read,
4269 ++ .splice_write = iter_file_splice_write,
4270 + };
4271 +
4272 +-SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count,
4273 +- unsigned int, flags)
4274 +-{
4275 +- int ret;
4276 +-
4277 +- if (flags & ~(GRND_NONBLOCK|GRND_RANDOM))
4278 +- return -EINVAL;
4279 +-
4280 +- if (count > INT_MAX)
4281 +- count = INT_MAX;
4282 +-
4283 +- if (flags & GRND_RANDOM)
4284 +- return _random_read(flags & GRND_NONBLOCK, buf, count);
4285 +-
4286 +- if (!crng_ready()) {
4287 +- if (flags & GRND_NONBLOCK)
4288 +- return -EAGAIN;
4289 +- ret = wait_for_random_bytes();
4290 +- if (unlikely(ret))
4291 +- return ret;
4292 +- }
4293 +- return urandom_read(NULL, buf, count, NULL);
4294 +-}
4295 +
4296 + /********************************************************************
4297 + *
4298 +- * Sysctl interface
4299 ++ * Sysctl interface.
4300 ++ *
4301 ++ * These are partly unused legacy knobs with dummy values to not break
4302 ++ * userspace and partly still useful things. They are usually accessible
4303 ++ * in /proc/sys/kernel/random/ and are as follows:
4304 ++ *
4305 ++ * - boot_id - a UUID representing the current boot.
4306 ++ *
4307 ++ * - uuid - a random UUID, different each time the file is read.
4308 ++ *
4309 ++ * - poolsize - the number of bits of entropy that the input pool can
4310 ++ * hold, tied to the POOL_BITS constant.
4311 ++ *
4312 ++ * - entropy_avail - the number of bits of entropy currently in the
4313 ++ * input pool. Always <= poolsize.
4314 ++ *
4315 ++ * - write_wakeup_threshold - the amount of entropy in the input pool
4316 ++ * below which write polls to /dev/random will unblock, requesting
4317 ++ * more entropy, tied to the POOL_READY_BITS constant. It is writable
4318 ++ * to avoid breaking old userspaces, but writing to it does not
4319 ++ * change any behavior of the RNG.
4320 ++ *
4321 ++ * - urandom_min_reseed_secs - fixed to the value CRNG_RESEED_INTERVAL.
4322 ++ * It is writable to avoid breaking old userspaces, but writing
4323 ++ * to it does not change any behavior of the RNG.
4324 + *
4325 + ********************************************************************/
4326 +
4327 +@@ -2140,26 +1425,28 @@ SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count,
4328 +
4329 + #include <linux/sysctl.h>
4330 +
4331 +-static int min_read_thresh = 8, min_write_thresh;
4332 +-static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
4333 +-static int max_write_thresh = INPUT_POOL_WORDS * 32;
4334 +-static int random_min_urandom_seed = 60;
4335 +-static char sysctl_bootid[16];
4336 ++static int sysctl_random_min_urandom_seed = CRNG_RESEED_INTERVAL / HZ;
4337 ++static int sysctl_random_write_wakeup_bits = POOL_READY_BITS;
4338 ++static int sysctl_poolsize = POOL_BITS;
4339 ++static u8 sysctl_bootid[UUID_SIZE];
4340 +
4341 + /*
4342 + * This function is used to return both the bootid UUID, and random
4343 +- * UUID. The difference is in whether table->data is NULL; if it is,
4344 ++ * UUID. The difference is in whether table->data is NULL; if it is,
4345 + * then a new UUID is generated and returned to the user.
4346 +- *
4347 +- * If the user accesses this via the proc interface, the UUID will be
4348 +- * returned as an ASCII string in the standard UUID format; if via the
4349 +- * sysctl system call, as 16 bytes of binary data.
4350 + */
4351 +-static int proc_do_uuid(struct ctl_table *table, int write,
4352 +- void __user *buffer, size_t *lenp, loff_t *ppos)
4353 +-{
4354 +- struct ctl_table fake_table;
4355 +- unsigned char buf[64], tmp_uuid[16], *uuid;
4356 ++static int proc_do_uuid(struct ctl_table *table, int write, void __user *buf,
4357 ++ size_t *lenp, loff_t *ppos)
4358 ++{
4359 ++ u8 tmp_uuid[UUID_SIZE], *uuid;
4360 ++ char uuid_string[UUID_STRING_LEN + 1];
4361 ++ struct ctl_table fake_table = {
4362 ++ .data = uuid_string,
4363 ++ .maxlen = UUID_STRING_LEN
4364 ++ };
4365 ++
4366 ++ if (write)
4367 ++ return -EPERM;
4368 +
4369 + uuid = table->data;
4370 + if (!uuid) {
4371 +@@ -2174,32 +1461,17 @@ static int proc_do_uuid(struct ctl_table *table, int write,
4372 + spin_unlock(&bootid_spinlock);
4373 + }
4374 +
4375 +- sprintf(buf, "%pU", uuid);
4376 +-
4377 +- fake_table.data = buf;
4378 +- fake_table.maxlen = sizeof(buf);
4379 +-
4380 +- return proc_dostring(&fake_table, write, buffer, lenp, ppos);
4381 ++ snprintf(uuid_string, sizeof(uuid_string), "%pU", uuid);
4382 ++ return proc_dostring(&fake_table, 0, buf, lenp, ppos);
4383 + }
4384 +
4385 +-/*
4386 +- * Return entropy available scaled to integral bits
4387 +- */
4388 +-static int proc_do_entropy(struct ctl_table *table, int write,
4389 +- void __user *buffer, size_t *lenp, loff_t *ppos)
4390 ++/* The same as proc_dointvec, but writes don't change anything. */
4391 ++static int proc_do_rointvec(struct ctl_table *table, int write, void __user *buf,
4392 ++ size_t *lenp, loff_t *ppos)
4393 + {
4394 +- struct ctl_table fake_table;
4395 +- int entropy_count;
4396 +-
4397 +- entropy_count = *(int *)table->data >> ENTROPY_SHIFT;
4398 +-
4399 +- fake_table.data = &entropy_count;
4400 +- fake_table.maxlen = sizeof(entropy_count);
4401 +-
4402 +- return proc_dointvec(&fake_table, write, buffer, lenp, ppos);
4403 ++ return write ? 0 : proc_dointvec(table, 0, buf, lenp, ppos);
4404 + }
4405 +
4406 +-static int sysctl_poolsize = INPUT_POOL_WORDS * 32;
4407 + extern struct ctl_table random_table[];
4408 + struct ctl_table random_table[] = {
4409 + {
4410 +@@ -2211,213 +1483,36 @@ struct ctl_table random_table[] = {
4411 + },
4412 + {
4413 + .procname = "entropy_avail",
4414 ++ .data = &input_pool.init_bits,
4415 + .maxlen = sizeof(int),
4416 + .mode = 0444,
4417 +- .proc_handler = proc_do_entropy,
4418 +- .data = &input_pool.entropy_count,
4419 +- },
4420 +- {
4421 +- .procname = "read_wakeup_threshold",
4422 +- .data = &random_read_wakeup_bits,
4423 +- .maxlen = sizeof(int),
4424 +- .mode = 0644,
4425 +- .proc_handler = proc_dointvec_minmax,
4426 +- .extra1 = &min_read_thresh,
4427 +- .extra2 = &max_read_thresh,
4428 ++ .proc_handler = proc_dointvec,
4429 + },
4430 + {
4431 + .procname = "write_wakeup_threshold",
4432 +- .data = &random_write_wakeup_bits,
4433 ++ .data = &sysctl_random_write_wakeup_bits,
4434 + .maxlen = sizeof(int),
4435 + .mode = 0644,
4436 +- .proc_handler = proc_dointvec_minmax,
4437 +- .extra1 = &min_write_thresh,
4438 +- .extra2 = &max_write_thresh,
4439 ++ .proc_handler = proc_do_rointvec,
4440 + },
4441 + {
4442 + .procname = "urandom_min_reseed_secs",
4443 +- .data = &random_min_urandom_seed,
4444 ++ .data = &sysctl_random_min_urandom_seed,
4445 + .maxlen = sizeof(int),
4446 + .mode = 0644,
4447 +- .proc_handler = proc_dointvec,
4448 ++ .proc_handler = proc_do_rointvec,
4449 + },
4450 + {
4451 + .procname = "boot_id",
4452 + .data = &sysctl_bootid,
4453 +- .maxlen = 16,
4454 + .mode = 0444,
4455 + .proc_handler = proc_do_uuid,
4456 + },
4457 + {
4458 + .procname = "uuid",
4459 +- .maxlen = 16,
4460 + .mode = 0444,
4461 + .proc_handler = proc_do_uuid,
4462 + },
4463 +-#ifdef ADD_INTERRUPT_BENCH
4464 +- {
4465 +- .procname = "add_interrupt_avg_cycles",
4466 +- .data = &avg_cycles,
4467 +- .maxlen = sizeof(avg_cycles),
4468 +- .mode = 0444,
4469 +- .proc_handler = proc_doulongvec_minmax,
4470 +- },
4471 +- {
4472 +- .procname = "add_interrupt_avg_deviation",
4473 +- .data = &avg_deviation,
4474 +- .maxlen = sizeof(avg_deviation),
4475 +- .mode = 0444,
4476 +- .proc_handler = proc_doulongvec_minmax,
4477 +- },
4478 +-#endif
4479 + { }
4480 + };
4481 +-#endif /* CONFIG_SYSCTL */
4482 +-
4483 +-struct batched_entropy {
4484 +- union {
4485 +- u64 entropy_u64[CHACHA20_BLOCK_SIZE / sizeof(u64)];
4486 +- u32 entropy_u32[CHACHA20_BLOCK_SIZE / sizeof(u32)];
4487 +- };
4488 +- unsigned int position;
4489 +- spinlock_t batch_lock;
4490 +-};
4491 +-
4492 +-/*
4493 +- * Get a random word for internal kernel use only. The quality of the random
4494 +- * number is good as /dev/urandom, but there is no backtrack protection, with
4495 +- * the goal of being quite fast and not depleting entropy. In order to ensure
4496 +- * that the randomness provided by this function is okay, the function
4497 +- * wait_for_random_bytes() should be called and return 0 at least once at any
4498 +- * point prior.
4499 +- */
4500 +-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64) = {
4501 +- .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u64.lock),
4502 +-};
4503 +-
4504 +-u64 get_random_u64(void)
4505 +-{
4506 +- u64 ret;
4507 +- unsigned long flags;
4508 +- struct batched_entropy *batch;
4509 +- static void *previous;
4510 +-
4511 +- warn_unseeded_randomness(&previous);
4512 +-
4513 +- batch = raw_cpu_ptr(&batched_entropy_u64);
4514 +- spin_lock_irqsave(&batch->batch_lock, flags);
4515 +- if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0) {
4516 +- extract_crng((u8 *)batch->entropy_u64);
4517 +- batch->position = 0;
4518 +- }
4519 +- ret = batch->entropy_u64[batch->position++];
4520 +- spin_unlock_irqrestore(&batch->batch_lock, flags);
4521 +- return ret;
4522 +-}
4523 +-EXPORT_SYMBOL(get_random_u64);
4524 +-
4525 +-static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32) = {
4526 +- .batch_lock = __SPIN_LOCK_UNLOCKED(batched_entropy_u32.lock),
4527 +-};
4528 +-u32 get_random_u32(void)
4529 +-{
4530 +- u32 ret;
4531 +- unsigned long flags;
4532 +- struct batched_entropy *batch;
4533 +- static void *previous;
4534 +-
4535 +- warn_unseeded_randomness(&previous);
4536 +-
4537 +- batch = raw_cpu_ptr(&batched_entropy_u32);
4538 +- spin_lock_irqsave(&batch->batch_lock, flags);
4539 +- if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0) {
4540 +- extract_crng((u8 *)batch->entropy_u32);
4541 +- batch->position = 0;
4542 +- }
4543 +- ret = batch->entropy_u32[batch->position++];
4544 +- spin_unlock_irqrestore(&batch->batch_lock, flags);
4545 +- return ret;
4546 +-}
4547 +-EXPORT_SYMBOL(get_random_u32);
4548 +-
4549 +-/* It's important to invalidate all potential batched entropy that might
4550 +- * be stored before the crng is initialized, which we can do lazily by
4551 +- * simply resetting the counter to zero so that it's re-extracted on the
4552 +- * next usage. */
4553 +-static void invalidate_batched_entropy(void)
4554 +-{
4555 +- int cpu;
4556 +- unsigned long flags;
4557 +-
4558 +- for_each_possible_cpu (cpu) {
4559 +- struct batched_entropy *batched_entropy;
4560 +-
4561 +- batched_entropy = per_cpu_ptr(&batched_entropy_u32, cpu);
4562 +- spin_lock_irqsave(&batched_entropy->batch_lock, flags);
4563 +- batched_entropy->position = 0;
4564 +- spin_unlock(&batched_entropy->batch_lock);
4565 +-
4566 +- batched_entropy = per_cpu_ptr(&batched_entropy_u64, cpu);
4567 +- spin_lock(&batched_entropy->batch_lock);
4568 +- batched_entropy->position = 0;
4569 +- spin_unlock_irqrestore(&batched_entropy->batch_lock, flags);
4570 +- }
4571 +-}
4572 +-
4573 +-/**
4574 +- * randomize_page - Generate a random, page aligned address
4575 +- * @start: The smallest acceptable address the caller will take.
4576 +- * @range: The size of the area, starting at @start, within which the
4577 +- * random address must fall.
4578 +- *
4579 +- * If @start + @range would overflow, @range is capped.
4580 +- *
4581 +- * NOTE: Historical use of randomize_range, which this replaces, presumed that
4582 +- * @start was already page aligned. We now align it regardless.
4583 +- *
4584 +- * Return: A page aligned address within [start, start + range). On error,
4585 +- * @start is returned.
4586 +- */
4587 +-unsigned long
4588 +-randomize_page(unsigned long start, unsigned long range)
4589 +-{
4590 +- if (!PAGE_ALIGNED(start)) {
4591 +- range -= PAGE_ALIGN(start) - start;
4592 +- start = PAGE_ALIGN(start);
4593 +- }
4594 +-
4595 +- if (start > ULONG_MAX - range)
4596 +- range = ULONG_MAX - start;
4597 +-
4598 +- range >>= PAGE_SHIFT;
4599 +-
4600 +- if (range == 0)
4601 +- return start;
4602 +-
4603 +- return start + (get_random_long() % range << PAGE_SHIFT);
4604 +-}
4605 +-
4606 +-/* Interface for in-kernel drivers of true hardware RNGs.
4607 +- * Those devices may produce endless random bits and will be throttled
4608 +- * when our pool is full.
4609 +- */
4610 +-void add_hwgenerator_randomness(const char *buffer, size_t count,
4611 +- size_t entropy)
4612 +-{
4613 +- struct entropy_store *poolp = &input_pool;
4614 +-
4615 +- if (unlikely(crng_init == 0)) {
4616 +- crng_fast_load(buffer, count);
4617 +- return;
4618 +- }
4619 +-
4620 +- /* Suspend writing if we're above the trickle threshold.
4621 +- * We'll be woken up again once below random_write_wakeup_thresh,
4622 +- * or when the calling thread is about to terminate.
4623 +- */
4624 +- wait_event_interruptible(random_write_wait, kthread_should_stop() ||
4625 +- ENTROPY_BITS(&input_pool) <= random_write_wakeup_bits);
4626 +- mix_pool_bytes(poolp, buffer, count);
4627 +- credit_entropy_bits(poolp, entropy);
4628 +-}
4629 +-EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
4630 ++#endif /* CONFIG_SYSCTL */
4631 +diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c
4632 +index 12bc9fa211117..08bcefca313db 100644
4633 +--- a/drivers/hv/hv.c
4634 ++++ b/drivers/hv/hv.c
4635 +@@ -115,7 +115,7 @@ static void hv_stimer0_isr(void)
4636 +
4637 + hv_cpu = this_cpu_ptr(hv_context.cpu_context);
4638 + hv_cpu->clk_evt->event_handler(hv_cpu->clk_evt);
4639 +- add_interrupt_randomness(stimer0_vector, 0);
4640 ++ add_interrupt_randomness(stimer0_vector);
4641 + }
4642 +
4643 + static int hv_ce_set_next_event(unsigned long delta,
4644 +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
4645 +index 0c17743b4a65c..fca092cfe2004 100644
4646 +--- a/drivers/hv/vmbus_drv.c
4647 ++++ b/drivers/hv/vmbus_drv.c
4648 +@@ -1146,7 +1146,7 @@ static void vmbus_isr(void)
4649 + tasklet_schedule(&hv_cpu->msg_dpc);
4650 + }
4651 +
4652 +- add_interrupt_randomness(HYPERVISOR_CALLBACK_VECTOR, 0);
4653 ++ add_interrupt_randomness(HYPERVISOR_CALLBACK_VECTOR);
4654 + }
4655 +
4656 + /*
4657 +diff --git a/drivers/hwmon/hwmon.c b/drivers/hwmon/hwmon.c
4658 +index fb82d8ee0dd6d..c4051a3e63c29 100644
4659 +--- a/drivers/hwmon/hwmon.c
4660 ++++ b/drivers/hwmon/hwmon.c
4661 +@@ -695,12 +695,11 @@ EXPORT_SYMBOL_GPL(hwmon_device_register_with_groups);
4662 +
4663 + /**
4664 + * hwmon_device_register_with_info - register w/ hwmon
4665 +- * @dev: the parent device (mandatory)
4666 +- * @name: hwmon name attribute (mandatory)
4667 +- * @drvdata: driver data to attach to created device (optional)
4668 +- * @chip: pointer to hwmon chip information (mandatory)
4669 ++ * @dev: the parent device
4670 ++ * @name: hwmon name attribute
4671 ++ * @drvdata: driver data to attach to created device
4672 ++ * @chip: pointer to hwmon chip information
4673 + * @extra_groups: pointer to list of additional non-standard attribute groups
4674 +- * (optional)
4675 + *
4676 + * hwmon_device_unregister() must be called when the device is no
4677 + * longer needed.
4678 +@@ -713,10 +712,13 @@ hwmon_device_register_with_info(struct device *dev, const char *name,
4679 + const struct hwmon_chip_info *chip,
4680 + const struct attribute_group **extra_groups)
4681 + {
4682 +- if (!dev || !name || !chip)
4683 ++ if (!name)
4684 ++ return ERR_PTR(-EINVAL);
4685 ++
4686 ++ if (chip && (!chip->ops || !chip->ops->is_visible || !chip->info))
4687 + return ERR_PTR(-EINVAL);
4688 +
4689 +- if (!chip->ops || !chip->ops->is_visible || !chip->info)
4690 ++ if (chip && !dev)
4691 + return ERR_PTR(-EINVAL);
4692 +
4693 + return __hwmon_device_register(dev, name, drvdata, chip, extra_groups);
4694 +diff --git a/drivers/irqchip/irq-gic-realview.c b/drivers/irqchip/irq-gic-realview.c
4695 +index b4c1924f02554..38fab02ffe9d0 100644
4696 +--- a/drivers/irqchip/irq-gic-realview.c
4697 ++++ b/drivers/irqchip/irq-gic-realview.c
4698 +@@ -57,6 +57,7 @@ realview_gic_of_init(struct device_node *node, struct device_node *parent)
4699 +
4700 + /* The PB11MPCore GIC needs to be configured in the syscon */
4701 + map = syscon_node_to_regmap(np);
4702 ++ of_node_put(np);
4703 + if (!IS_ERR(map)) {
4704 + /* new irq mode with no DCC */
4705 + regmap_write(map, REALVIEW_SYS_LOCK_OFFSET,
4706 +diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c
4707 +index 05b9a4cdc8fd5..8d8b8d192e2e3 100644
4708 +--- a/drivers/irqchip/irq-gic-v3.c
4709 ++++ b/drivers/irqchip/irq-gic-v3.c
4710 +@@ -1205,12 +1205,15 @@ static void __init gic_populate_ppi_partitions(struct device_node *gic_node)
4711 + continue;
4712 +
4713 + cpu = of_cpu_node_to_id(cpu_node);
4714 +- if (WARN_ON(cpu < 0))
4715 ++ if (WARN_ON(cpu < 0)) {
4716 ++ of_node_put(cpu_node);
4717 + continue;
4718 ++ }
4719 +
4720 + pr_cont("%pOF[%d] ", cpu_node, cpu);
4721 +
4722 + cpumask_set_cpu(cpu, &part->mask);
4723 ++ of_node_put(cpu_node);
4724 + }
4725 +
4726 + pr_cont("}\n");
4727 +diff --git a/drivers/misc/atmel-ssc.c b/drivers/misc/atmel-ssc.c
4728 +index f9caf233e2cc0..48521861beb52 100644
4729 +--- a/drivers/misc/atmel-ssc.c
4730 ++++ b/drivers/misc/atmel-ssc.c
4731 +@@ -235,9 +235,9 @@ static int ssc_probe(struct platform_device *pdev)
4732 + clk_disable_unprepare(ssc->clk);
4733 +
4734 + ssc->irq = platform_get_irq(pdev, 0);
4735 +- if (!ssc->irq) {
4736 ++ if (ssc->irq < 0) {
4737 + dev_dbg(&pdev->dev, "could not get irq\n");
4738 +- return -ENXIO;
4739 ++ return ssc->irq;
4740 + }
4741 +
4742 + mutex_lock(&user_lock);
4743 +diff --git a/drivers/net/ethernet/broadcom/bgmac-bcma.c b/drivers/net/ethernet/broadcom/bgmac-bcma.c
4744 +index 6fe074c1588bb..77de92eb08b21 100644
4745 +--- a/drivers/net/ethernet/broadcom/bgmac-bcma.c
4746 ++++ b/drivers/net/ethernet/broadcom/bgmac-bcma.c
4747 +@@ -323,7 +323,6 @@ static void bgmac_remove(struct bcma_device *core)
4748 + bcma_mdio_mii_unregister(bgmac->mii_bus);
4749 + bgmac_enet_remove(bgmac);
4750 + bcma_set_drvdata(core, NULL);
4751 +- kfree(bgmac);
4752 + }
4753 +
4754 + static struct bcma_driver bgmac_bcma_driver = {
4755 +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
4756 +index 5242d3dfeb22d..6a70e62836f8f 100644
4757 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
4758 ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
4759 +@@ -2195,15 +2195,16 @@ static void i40e_diag_test(struct net_device *netdev,
4760 +
4761 + set_bit(__I40E_TESTING, pf->state);
4762 +
4763 ++ if (test_bit(__I40E_RESET_RECOVERY_PENDING, pf->state) ||
4764 ++ test_bit(__I40E_RESET_INTR_RECEIVED, pf->state)) {
4765 ++ dev_warn(&pf->pdev->dev,
4766 ++ "Cannot start offline testing when PF is in reset state.\n");
4767 ++ goto skip_ol_tests;
4768 ++ }
4769 ++
4770 + if (i40e_active_vfs(pf) || i40e_active_vmdqs(pf)) {
4771 + dev_warn(&pf->pdev->dev,
4772 + "Please take active VFs and Netqueues offline and restart the adapter before running NIC diagnostics\n");
4773 +- data[I40E_ETH_TEST_REG] = 1;
4774 +- data[I40E_ETH_TEST_EEPROM] = 1;
4775 +- data[I40E_ETH_TEST_INTR] = 1;
4776 +- data[I40E_ETH_TEST_LINK] = 1;
4777 +- eth_test->flags |= ETH_TEST_FL_FAILED;
4778 +- clear_bit(__I40E_TESTING, pf->state);
4779 + goto skip_ol_tests;
4780 + }
4781 +
4782 +@@ -2250,9 +2251,17 @@ static void i40e_diag_test(struct net_device *netdev,
4783 + data[I40E_ETH_TEST_INTR] = 0;
4784 + }
4785 +
4786 +-skip_ol_tests:
4787 +-
4788 + netif_info(pf, drv, netdev, "testing finished\n");
4789 ++ return;
4790 ++
4791 ++skip_ol_tests:
4792 ++ data[I40E_ETH_TEST_REG] = 1;
4793 ++ data[I40E_ETH_TEST_EEPROM] = 1;
4794 ++ data[I40E_ETH_TEST_INTR] = 1;
4795 ++ data[I40E_ETH_TEST_LINK] = 1;
4796 ++ eth_test->flags |= ETH_TEST_FL_FAILED;
4797 ++ clear_bit(__I40E_TESTING, pf->state);
4798 ++ netif_info(pf, drv, netdev, "testing failed\n");
4799 + }
4800 +
4801 + static void i40e_get_wol(struct net_device *netdev,
4802 +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
4803 +index 21ea0cdea6668..3615c6533cf4f 100644
4804 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
4805 ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
4806 +@@ -7508,6 +7508,11 @@ static int i40e_configure_clsflower(struct i40e_vsi *vsi,
4807 + return -EOPNOTSUPP;
4808 + }
4809 +
4810 ++ if (!tc) {
4811 ++ dev_err(&pf->pdev->dev, "Unable to add filter because of invalid destination");
4812 ++ return -EINVAL;
4813 ++ }
4814 ++
4815 + if (test_bit(__I40E_RESET_RECOVERY_PENDING, pf->state) ||
4816 + test_bit(__I40E_RESET_INTR_RECEIVED, pf->state))
4817 + return -EBUSY;
4818 +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
4819 +index f2eaf8c13cc22..53cff913abf0b 100644
4820 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
4821 ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
4822 +@@ -597,6 +597,17 @@ static inline void mtk_rx_get_desc(struct mtk_rx_dma *rxd,
4823 + rxd->rxd4 = READ_ONCE(dma_rxd->rxd4);
4824 + }
4825 +
4826 ++static void *mtk_max_lro_buf_alloc(gfp_t gfp_mask)
4827 ++{
4828 ++ unsigned int size = mtk_max_frag_size(MTK_MAX_LRO_RX_LENGTH);
4829 ++ unsigned long data;
4830 ++
4831 ++ data = __get_free_pages(gfp_mask | __GFP_COMP | __GFP_NOWARN,
4832 ++ get_order(size));
4833 ++
4834 ++ return (void *)data;
4835 ++}
4836 ++
4837 + /* the qdma core needs scratch memory to be setup */
4838 + static int mtk_init_fq_dma(struct mtk_eth *eth)
4839 + {
4840 +@@ -1005,7 +1016,10 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget,
4841 + goto release_desc;
4842 +
4843 + /* alloc new buffer */
4844 +- new_data = napi_alloc_frag(ring->frag_size);
4845 ++ if (ring->frag_size <= PAGE_SIZE)
4846 ++ new_data = napi_alloc_frag(ring->frag_size);
4847 ++ else
4848 ++ new_data = mtk_max_lro_buf_alloc(GFP_ATOMIC);
4849 + if (unlikely(!new_data)) {
4850 + netdev->stats.rx_dropped++;
4851 + goto release_desc;
4852 +@@ -1312,7 +1326,10 @@ static int mtk_rx_alloc(struct mtk_eth *eth, int ring_no, int rx_flag)
4853 + return -ENOMEM;
4854 +
4855 + for (i = 0; i < rx_dma_size; i++) {
4856 +- ring->data[i] = netdev_alloc_frag(ring->frag_size);
4857 ++ if (ring->frag_size <= PAGE_SIZE)
4858 ++ ring->data[i] = netdev_alloc_frag(ring->frag_size);
4859 ++ else
4860 ++ ring->data[i] = mtk_max_lro_buf_alloc(GFP_KERNEL);
4861 + if (!ring->data[i])
4862 + return -ENOMEM;
4863 + }
4864 +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_cnt.h b/drivers/net/ethernet/mellanox/mlxsw/spectrum_cnt.h
4865 +index 81465e267b100..b7eb3674e2856 100644
4866 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_cnt.h
4867 ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_cnt.h
4868 +@@ -7,8 +7,8 @@
4869 + #include "spectrum.h"
4870 +
4871 + enum mlxsw_sp_counter_sub_pool_id {
4872 +- MLXSW_SP_COUNTER_SUB_POOL_FLOW,
4873 + MLXSW_SP_COUNTER_SUB_POOL_RIF,
4874 ++ MLXSW_SP_COUNTER_SUB_POOL_FLOW,
4875 + };
4876 +
4877 + int mlxsw_sp_counter_alloc(struct mlxsw_sp *mlxsw_sp,
4878 +diff --git a/drivers/nfc/nfcmrvl/usb.c b/drivers/nfc/nfcmrvl/usb.c
4879 +index 888e298f610b8..f26986eb53f19 100644
4880 +--- a/drivers/nfc/nfcmrvl/usb.c
4881 ++++ b/drivers/nfc/nfcmrvl/usb.c
4882 +@@ -401,13 +401,25 @@ static void nfcmrvl_play_deferred(struct nfcmrvl_usb_drv_data *drv_data)
4883 + int err;
4884 +
4885 + while ((urb = usb_get_from_anchor(&drv_data->deferred))) {
4886 ++ usb_anchor_urb(urb, &drv_data->tx_anchor);
4887 ++
4888 + err = usb_submit_urb(urb, GFP_ATOMIC);
4889 +- if (err)
4890 ++ if (err) {
4891 ++ kfree(urb->setup_packet);
4892 ++ usb_unanchor_urb(urb);
4893 ++ usb_free_urb(urb);
4894 + break;
4895 ++ }
4896 +
4897 + drv_data->tx_in_flight++;
4898 ++ usb_free_urb(urb);
4899 ++ }
4900 ++
4901 ++ /* Cleanup the rest deferred urbs. */
4902 ++ while ((urb = usb_get_from_anchor(&drv_data->deferred))) {
4903 ++ kfree(urb->setup_packet);
4904 ++ usb_free_urb(urb);
4905 + }
4906 +- usb_scuttle_anchored_urbs(&drv_data->deferred);
4907 + }
4908 +
4909 + static int nfcmrvl_resume(struct usb_interface *intf)
4910 +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
4911 +index 1eb6af6439ad6..2e9ea7f1e719b 100644
4912 +--- a/drivers/of/fdt.c
4913 ++++ b/drivers/of/fdt.c
4914 +@@ -25,6 +25,7 @@
4915 + #include <linux/debugfs.h>
4916 + #include <linux/serial_core.h>
4917 + #include <linux/sysfs.h>
4918 ++#include <linux/random.h>
4919 +
4920 + #include <asm/setup.h> /* for COMMAND_LINE_SIZE */
4921 + #include <asm/page.h>
4922 +@@ -1077,6 +1078,7 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
4923 + {
4924 + int l;
4925 + const char *p;
4926 ++ const void *rng_seed;
4927 +
4928 + pr_debug("search \"chosen\", depth: %d, uname: %s\n", depth, uname);
4929 +
4930 +@@ -1111,6 +1113,14 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
4931 +
4932 + pr_debug("Command line is: %s\n", (char*)data);
4933 +
4934 ++ rng_seed = of_get_flat_dt_prop(node, "rng-seed", &l);
4935 ++ if (rng_seed && l > 0) {
4936 ++ add_bootloader_randomness(rng_seed, l);
4937 ++
4938 ++ /* try to clear seed so it won't be found. */
4939 ++ fdt_nop_property(initial_boot_params, node, "rng-seed");
4940 ++ }
4941 ++
4942 + /* break now */
4943 + return 1;
4944 + }
4945 +@@ -1213,8 +1223,6 @@ bool __init early_init_dt_verify(void *params)
4946 +
4947 + /* Setup flat device-tree pointer */
4948 + initial_boot_params = params;
4949 +- of_fdt_crc32 = crc32_be(~0, initial_boot_params,
4950 +- fdt_totalsize(initial_boot_params));
4951 + return true;
4952 + }
4953 +
4954 +@@ -1240,6 +1248,8 @@ bool __init early_init_dt_scan(void *params)
4955 + return false;
4956 +
4957 + early_init_dt_scan_nodes();
4958 ++ of_fdt_crc32 = crc32_be(~0, initial_boot_params,
4959 ++ fdt_totalsize(initial_boot_params));
4960 + return true;
4961 + }
4962 +
4963 +diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
4964 +index 1b04a8223eb01..c6cde552b995e 100644
4965 +--- a/drivers/scsi/ipr.c
4966 ++++ b/drivers/scsi/ipr.c
4967 +@@ -9783,7 +9783,7 @@ static int ipr_alloc_mem(struct ipr_ioa_cfg *ioa_cfg)
4968 + GFP_KERNEL);
4969 +
4970 + if (!ioa_cfg->hrrq[i].host_rrq) {
4971 +- while (--i > 0)
4972 ++ while (--i >= 0)
4973 + dma_free_coherent(&pdev->dev,
4974 + sizeof(u32) * ioa_cfg->hrrq[i].size,
4975 + ioa_cfg->hrrq[i].host_rrq,
4976 +@@ -10056,7 +10056,7 @@ static int ipr_request_other_msi_irqs(struct ipr_ioa_cfg *ioa_cfg,
4977 + ioa_cfg->vectors_info[i].desc,
4978 + &ioa_cfg->hrrq[i]);
4979 + if (rc) {
4980 +- while (--i >= 0)
4981 ++ while (--i > 0)
4982 + free_irq(pci_irq_vector(pdev, i),
4983 + &ioa_cfg->hrrq[i]);
4984 + return rc;
4985 +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
4986 +index 9442fb30e7cd8..f666518d84b0a 100644
4987 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
4988 ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
4989 +@@ -662,7 +662,8 @@ lpfc_rcv_logo(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
4990 + else
4991 + lpfc_els_rsp_acc(vport, ELS_CMD_ACC, cmdiocb, ndlp, NULL);
4992 + if (ndlp->nlp_DID == Fabric_DID) {
4993 +- if (vport->port_state <= LPFC_FDISC)
4994 ++ if (vport->port_state <= LPFC_FDISC ||
4995 ++ vport->fc_flag & FC_PT2PT)
4996 + goto out;
4997 + lpfc_linkdown_port(vport);
4998 + spin_lock_irq(shost->host_lock);
4999 +diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c
5000 +index 4e86994e10e81..6e96229c58e05 100644
5001 +--- a/drivers/scsi/pmcraid.c
5002 ++++ b/drivers/scsi/pmcraid.c
5003 +@@ -4559,7 +4559,7 @@ pmcraid_register_interrupt_handler(struct pmcraid_instance *pinstance)
5004 + return 0;
5005 +
5006 + out_unwind:
5007 +- while (--i > 0)
5008 ++ while (--i >= 0)
5009 + free_irq(pci_irq_vector(pdev, i), &pinstance->hrrq_vector[i]);
5010 + pci_free_irq_vectors(pdev);
5011 + return rc;
5012 +diff --git a/drivers/scsi/vmw_pvscsi.h b/drivers/scsi/vmw_pvscsi.h
5013 +index 75966d3f326e0..d87c12324c032 100644
5014 +--- a/drivers/scsi/vmw_pvscsi.h
5015 ++++ b/drivers/scsi/vmw_pvscsi.h
5016 +@@ -333,8 +333,8 @@ struct PVSCSIRingReqDesc {
5017 + u8 tag;
5018 + u8 bus;
5019 + u8 target;
5020 +- u8 vcpuHint;
5021 +- u8 unused[59];
5022 ++ u16 vcpuHint;
5023 ++ u8 unused[58];
5024 + } __packed;
5025 +
5026 + /*
5027 +diff --git a/drivers/staging/comedi/drivers/vmk80xx.c b/drivers/staging/comedi/drivers/vmk80xx.c
5028 +index 7769eadfaf61d..ccc65cfc519f5 100644
5029 +--- a/drivers/staging/comedi/drivers/vmk80xx.c
5030 ++++ b/drivers/staging/comedi/drivers/vmk80xx.c
5031 +@@ -685,7 +685,7 @@ static int vmk80xx_alloc_usb_buffers(struct comedi_device *dev)
5032 + if (!devpriv->usb_rx_buf)
5033 + return -ENOMEM;
5034 +
5035 +- size = max(usb_endpoint_maxp(devpriv->ep_rx), MIN_BUF_SIZE);
5036 ++ size = max(usb_endpoint_maxp(devpriv->ep_tx), MIN_BUF_SIZE);
5037 + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
5038 + if (!devpriv->usb_tx_buf)
5039 + return -ENOMEM;
5040 +diff --git a/drivers/tty/goldfish.c b/drivers/tty/goldfish.c
5041 +index abc84d84f6386..9180ca5e4dcd4 100644
5042 +--- a/drivers/tty/goldfish.c
5043 ++++ b/drivers/tty/goldfish.c
5044 +@@ -428,7 +428,7 @@ static int goldfish_tty_remove(struct platform_device *pdev)
5045 + tty_unregister_device(goldfish_tty_driver, qtty->console.index);
5046 + iounmap(qtty->base);
5047 + qtty->base = NULL;
5048 +- free_irq(qtty->irq, pdev);
5049 ++ free_irq(qtty->irq, qtty);
5050 + tty_port_destroy(&qtty->port);
5051 + goldfish_tty_current_line_count--;
5052 + if (goldfish_tty_current_line_count == 0)
5053 +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
5054 +index 34687c354f5e9..5a2e67a8ddc75 100644
5055 +--- a/drivers/tty/serial/8250/8250_port.c
5056 ++++ b/drivers/tty/serial/8250/8250_port.c
5057 +@@ -1522,6 +1522,8 @@ static inline void __stop_tx(struct uart_8250_port *p)
5058 +
5059 + if (em485) {
5060 + unsigned char lsr = serial_in(p, UART_LSR);
5061 ++ p->lsr_saved_flags |= lsr & LSR_SAVE_FLAGS;
5062 ++
5063 + /*
5064 + * To provide required timeing and allow FIFO transfer,
5065 + * __stop_tx_rs485() must be called only when both FIFO and
5066 +diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
5067 +index 22c4d554865ee..cfda883185838 100644
5068 +--- a/drivers/usb/dwc2/hcd.c
5069 ++++ b/drivers/usb/dwc2/hcd.c
5070 +@@ -5236,7 +5236,7 @@ int dwc2_hcd_init(struct dwc2_hsotg *hsotg)
5071 + res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
5072 + if (!res) {
5073 + retval = -EINVAL;
5074 +- goto error1;
5075 ++ goto error2;
5076 + }
5077 + hcd->rsrc_start = res->start;
5078 + hcd->rsrc_len = resource_size(res);
5079 +diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
5080 +index 1b3e674e6330d..2fe91f120bb1d 100644
5081 +--- a/drivers/usb/gadget/function/u_ether.c
5082 ++++ b/drivers/usb/gadget/function/u_ether.c
5083 +@@ -772,9 +772,13 @@ struct eth_dev *gether_setup_name(struct usb_gadget *g,
5084 + dev->qmult = qmult;
5085 + snprintf(net->name, sizeof(net->name), "%s%%d", netname);
5086 +
5087 +- if (get_ether_addr(dev_addr, net->dev_addr))
5088 ++ if (get_ether_addr(dev_addr, net->dev_addr)) {
5089 ++ net->addr_assign_type = NET_ADDR_RANDOM;
5090 + dev_warn(&g->dev,
5091 + "using random %s ethernet address\n", "self");
5092 ++ } else {
5093 ++ net->addr_assign_type = NET_ADDR_SET;
5094 ++ }
5095 + if (get_ether_addr(host_addr, dev->host_mac))
5096 + dev_warn(&g->dev,
5097 + "using random %s ethernet address\n", "host");
5098 +@@ -831,6 +835,9 @@ struct net_device *gether_setup_name_default(const char *netname)
5099 + INIT_LIST_HEAD(&dev->tx_reqs);
5100 + INIT_LIST_HEAD(&dev->rx_reqs);
5101 +
5102 ++ /* by default we always have a random MAC address */
5103 ++ net->addr_assign_type = NET_ADDR_RANDOM;
5104 ++
5105 + skb_queue_head_init(&dev->rx_frames);
5106 +
5107 + /* network device setup */
5108 +@@ -868,7 +875,6 @@ int gether_register_netdev(struct net_device *net)
5109 + g = dev->gadget;
5110 +
5111 + memcpy(net->dev_addr, dev->dev_mac, ETH_ALEN);
5112 +- net->addr_assign_type = NET_ADDR_RANDOM;
5113 +
5114 + status = register_netdev(net);
5115 + if (status < 0) {
5116 +@@ -908,6 +914,7 @@ int gether_set_dev_addr(struct net_device *net, const char *dev_addr)
5117 + if (get_ether_addr(dev_addr, new_addr))
5118 + return -EINVAL;
5119 + memcpy(dev->dev_mac, new_addr, ETH_ALEN);
5120 ++ net->addr_assign_type = NET_ADDR_SET;
5121 + return 0;
5122 + }
5123 + EXPORT_SYMBOL_GPL(gether_set_dev_addr);
5124 +diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c
5125 +index cf56819f16e4c..f7735d5ac6beb 100644
5126 +--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
5127 ++++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
5128 +@@ -3021,6 +3021,7 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
5129 + }
5130 +
5131 + udc->isp1301_i2c_client = isp1301_get_client(isp1301_node);
5132 ++ of_node_put(isp1301_node);
5133 + if (!udc->isp1301_i2c_client) {
5134 + retval = -EPROBE_DEFER;
5135 + goto phy_fail;
5136 +diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
5137 +index 6d1d6efa30554..a4421e1a6c07a 100644
5138 +--- a/drivers/usb/serial/io_ti.c
5139 ++++ b/drivers/usb/serial/io_ti.c
5140 +@@ -168,6 +168,7 @@ static const struct usb_device_id edgeport_2port_id_table[] = {
5141 + { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_TI_EDGEPORT_8S) },
5142 + { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_TI_EDGEPORT_416) },
5143 + { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_TI_EDGEPORT_416B) },
5144 ++ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_E5805A) },
5145 + { }
5146 + };
5147 +
5148 +@@ -206,6 +207,7 @@ static const struct usb_device_id id_table_combined[] = {
5149 + { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_TI_EDGEPORT_8S) },
5150 + { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_TI_EDGEPORT_416) },
5151 + { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_TI_EDGEPORT_416B) },
5152 ++ { USB_DEVICE(USB_VENDOR_ID_ION, ION_DEVICE_ID_E5805A) },
5153 + { }
5154 + };
5155 +
5156 +diff --git a/drivers/usb/serial/io_usbvend.h b/drivers/usb/serial/io_usbvend.h
5157 +index c38e87ac5ea9e..7ca5ca49adff8 100644
5158 +--- a/drivers/usb/serial/io_usbvend.h
5159 ++++ b/drivers/usb/serial/io_usbvend.h
5160 +@@ -212,6 +212,7 @@
5161 + //
5162 + // Definitions for other product IDs
5163 + #define ION_DEVICE_ID_MT4X56USB 0x1403 // OEM device
5164 ++#define ION_DEVICE_ID_E5805A 0x1A01 // OEM device (rebranded Edgeport/4)
5165 +
5166 +
5167 + #define GENERATION_ID_FROM_USB_PRODUCT_ID(ProductId) \
5168 +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
5169 +index 427a38ab198ba..4f99818ca70ed 100644
5170 +--- a/drivers/usb/serial/option.c
5171 ++++ b/drivers/usb/serial/option.c
5172 +@@ -432,6 +432,8 @@ static void option_instat_callback(struct urb *urb);
5173 + #define CINTERION_PRODUCT_CLS8 0x00b0
5174 + #define CINTERION_PRODUCT_MV31_MBIM 0x00b3
5175 + #define CINTERION_PRODUCT_MV31_RMNET 0x00b7
5176 ++#define CINTERION_PRODUCT_MV31_2_MBIM 0x00b8
5177 ++#define CINTERION_PRODUCT_MV31_2_RMNET 0x00b9
5178 + #define CINTERION_PRODUCT_MV32_WA 0x00f1
5179 + #define CINTERION_PRODUCT_MV32_WB 0x00f2
5180 +
5181 +@@ -1979,6 +1981,10 @@ static const struct usb_device_id option_ids[] = {
5182 + .driver_info = RSVD(3)},
5183 + { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_MV31_RMNET, 0xff),
5184 + .driver_info = RSVD(0)},
5185 ++ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_MV31_2_MBIM, 0xff),
5186 ++ .driver_info = RSVD(3)},
5187 ++ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_MV31_2_RMNET, 0xff),
5188 ++ .driver_info = RSVD(0)},
5189 + { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_MV32_WA, 0xff),
5190 + .driver_info = RSVD(3)},
5191 + { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_MV32_WB, 0xff),
5192 +diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c
5193 +index 4cd9ea5c75be7..c69c755bf5538 100644
5194 +--- a/drivers/virtio/virtio_mmio.c
5195 ++++ b/drivers/virtio/virtio_mmio.c
5196 +@@ -663,6 +663,7 @@ static int vm_cmdline_set(const char *device,
5197 + if (!vm_cmdline_parent_registered) {
5198 + err = device_register(&vm_cmdline_parent);
5199 + if (err) {
5200 ++ put_device(&vm_cmdline_parent);
5201 + pr_err("Failed to register parent device!\n");
5202 + return err;
5203 + }
5204 +diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c
5205 +index b7cc63f556eea..40618ccffeb8b 100644
5206 +--- a/drivers/virtio/virtio_pci_common.c
5207 ++++ b/drivers/virtio/virtio_pci_common.c
5208 +@@ -257,8 +257,7 @@ void vp_del_vqs(struct virtio_device *vdev)
5209 +
5210 + if (vp_dev->msix_affinity_masks) {
5211 + for (i = 0; i < vp_dev->msix_vectors; i++)
5212 +- if (vp_dev->msix_affinity_masks[i])
5213 +- free_cpumask_var(vp_dev->msix_affinity_masks[i]);
5214 ++ free_cpumask_var(vp_dev->msix_affinity_masks[i]);
5215 + }
5216 +
5217 + if (vp_dev->msix_enabled) {
5218 +diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c
5219 +index a950a927a626f..c94e0748fc321 100644
5220 +--- a/fs/9p/vfs_inode_dotl.c
5221 ++++ b/fs/9p/vfs_inode_dotl.c
5222 +@@ -656,14 +656,10 @@ v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode,
5223 + if (stat->st_result_mask & P9_STATS_NLINK)
5224 + set_nlink(inode, stat->st_nlink);
5225 + if (stat->st_result_mask & P9_STATS_MODE) {
5226 +- inode->i_mode = stat->st_mode;
5227 +- if ((S_ISBLK(inode->i_mode)) ||
5228 +- (S_ISCHR(inode->i_mode)))
5229 +- init_special_inode(inode, inode->i_mode,
5230 +- inode->i_rdev);
5231 ++ mode = stat->st_mode & S_IALLUGO;
5232 ++ mode |= inode->i_mode & ~S_IALLUGO;
5233 ++ inode->i_mode = mode;
5234 + }
5235 +- if (stat->st_result_mask & P9_STATS_RDEV)
5236 +- inode->i_rdev = new_decode_dev(stat->st_rdev);
5237 + if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE) &&
5238 + stat->st_result_mask & P9_STATS_SIZE)
5239 + v9fs_i_size_write(inode, stat->st_size);
5240 +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
5241 +index db8243627b085..4ea4fe92eb8c9 100644
5242 +--- a/fs/ext4/mballoc.c
5243 ++++ b/fs/ext4/mballoc.c
5244 +@@ -3170,6 +3170,15 @@ ext4_mb_normalize_request(struct ext4_allocation_context *ac,
5245 + size = size >> bsbits;
5246 + start = start_off >> bsbits;
5247 +
5248 ++ /*
5249 ++ * For tiny groups (smaller than 8MB) the chosen allocation
5250 ++ * alignment may be larger than group size. Make sure the
5251 ++ * alignment does not move allocation to a different group which
5252 ++ * makes mballoc fail assertions later.
5253 ++ */
5254 ++ start = max(start, rounddown(ac->ac_o_ex.fe_logical,
5255 ++ (ext4_lblk_t)EXT4_BLOCKS_PER_GROUP(ac->ac_sb)));
5256 ++
5257 + /* don't cover already allocated blocks in selected range */
5258 + if (ar->pleft && start <= ar->lleft) {
5259 + size -= ar->lleft + 1 - start;
5260 +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
5261 +index 621271c2989b4..5f85994191504 100644
5262 +--- a/fs/ext4/namei.c
5263 ++++ b/fs/ext4/namei.c
5264 +@@ -1743,7 +1743,8 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir,
5265 + struct dx_hash_info *hinfo)
5266 + {
5267 + unsigned blocksize = dir->i_sb->s_blocksize;
5268 +- unsigned count, continued;
5269 ++ unsigned continued;
5270 ++ int count;
5271 + struct buffer_head *bh2;
5272 + ext4_lblk_t newblock;
5273 + u32 hash2;
5274 +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
5275 +index 5f954620efbf2..d37493b39ab97 100644
5276 +--- a/fs/ext4/resize.c
5277 ++++ b/fs/ext4/resize.c
5278 +@@ -52,6 +52,16 @@ int ext4_resize_begin(struct super_block *sb)
5279 + if (!capable(CAP_SYS_RESOURCE))
5280 + return -EPERM;
5281 +
5282 ++ /*
5283 ++ * If the reserved GDT blocks is non-zero, the resize_inode feature
5284 ++ * should always be set.
5285 ++ */
5286 ++ if (EXT4_SB(sb)->s_es->s_reserved_gdt_blocks &&
5287 ++ !ext4_has_feature_resize_inode(sb)) {
5288 ++ ext4_error(sb, "resize_inode disabled but reserved GDT blocks non-zero");
5289 ++ return -EFSCORRUPTED;
5290 ++ }
5291 ++
5292 + /*
5293 + * If we are not using the primary superblock/GDT copy don't resize,
5294 + * because the user tools have no way of handling this. Probably a
5295 +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
5296 +index a7d638bfb46b9..cfb1fe5dfb1e1 100644
5297 +--- a/fs/nfs/pnfs.c
5298 ++++ b/fs/nfs/pnfs.c
5299 +@@ -2045,6 +2045,12 @@ lookup_again:
5300 + case -ERECALLCONFLICT:
5301 + case -EAGAIN:
5302 + break;
5303 ++ case -ENODATA:
5304 ++ /* The server returned NFS4ERR_LAYOUTUNAVAILABLE */
5305 ++ pnfs_layout_set_fail_bit(
5306 ++ lo, pnfs_iomode_to_fail_bit(iomode));
5307 ++ lseg = NULL;
5308 ++ goto out_put_layout_hdr;
5309 + default:
5310 + if (!nfs_error_is_fatal(PTR_ERR(lseg))) {
5311 + pnfs_layout_clear_fail_bit(lo, pnfs_iomode_to_fail_bit(iomode));
5312 +diff --git a/include/crypto/blake2s.h b/include/crypto/blake2s.h
5313 +new file mode 100644
5314 +index 0000000000000..d439496fa6baa
5315 +--- /dev/null
5316 ++++ b/include/crypto/blake2s.h
5317 +@@ -0,0 +1,102 @@
5318 ++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
5319 ++/*
5320 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
5321 ++ */
5322 ++
5323 ++#ifndef _CRYPTO_BLAKE2S_H
5324 ++#define _CRYPTO_BLAKE2S_H
5325 ++
5326 ++#include <linux/bug.h>
5327 ++#include <linux/types.h>
5328 ++#include <linux/kernel.h>
5329 ++#include <linux/string.h>
5330 ++
5331 ++enum blake2s_lengths {
5332 ++ BLAKE2S_BLOCK_SIZE = 64,
5333 ++ BLAKE2S_HASH_SIZE = 32,
5334 ++ BLAKE2S_KEY_SIZE = 32,
5335 ++
5336 ++ BLAKE2S_128_HASH_SIZE = 16,
5337 ++ BLAKE2S_160_HASH_SIZE = 20,
5338 ++ BLAKE2S_224_HASH_SIZE = 28,
5339 ++ BLAKE2S_256_HASH_SIZE = 32,
5340 ++};
5341 ++
5342 ++struct blake2s_state {
5343 ++ u32 h[8];
5344 ++ u32 t[2];
5345 ++ u32 f[2];
5346 ++ u8 buf[BLAKE2S_BLOCK_SIZE];
5347 ++ unsigned int buflen;
5348 ++ unsigned int outlen;
5349 ++};
5350 ++
5351 ++enum blake2s_iv {
5352 ++ BLAKE2S_IV0 = 0x6A09E667UL,
5353 ++ BLAKE2S_IV1 = 0xBB67AE85UL,
5354 ++ BLAKE2S_IV2 = 0x3C6EF372UL,
5355 ++ BLAKE2S_IV3 = 0xA54FF53AUL,
5356 ++ BLAKE2S_IV4 = 0x510E527FUL,
5357 ++ BLAKE2S_IV5 = 0x9B05688CUL,
5358 ++ BLAKE2S_IV6 = 0x1F83D9ABUL,
5359 ++ BLAKE2S_IV7 = 0x5BE0CD19UL,
5360 ++};
5361 ++
5362 ++void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen);
5363 ++void blake2s_final(struct blake2s_state *state, u8 *out);
5364 ++
5365 ++static inline void blake2s_init_param(struct blake2s_state *state,
5366 ++ const u32 param)
5367 ++{
5368 ++ *state = (struct blake2s_state){{
5369 ++ BLAKE2S_IV0 ^ param,
5370 ++ BLAKE2S_IV1,
5371 ++ BLAKE2S_IV2,
5372 ++ BLAKE2S_IV3,
5373 ++ BLAKE2S_IV4,
5374 ++ BLAKE2S_IV5,
5375 ++ BLAKE2S_IV6,
5376 ++ BLAKE2S_IV7,
5377 ++ }};
5378 ++}
5379 ++
5380 ++static inline void blake2s_init(struct blake2s_state *state,
5381 ++ const size_t outlen)
5382 ++{
5383 ++ blake2s_init_param(state, 0x01010000 | outlen);
5384 ++ state->outlen = outlen;
5385 ++}
5386 ++
5387 ++static inline void blake2s_init_key(struct blake2s_state *state,
5388 ++ const size_t outlen, const void *key,
5389 ++ const size_t keylen)
5390 ++{
5391 ++ WARN_ON(IS_ENABLED(DEBUG) && (!outlen || outlen > BLAKE2S_HASH_SIZE ||
5392 ++ !key || !keylen || keylen > BLAKE2S_KEY_SIZE));
5393 ++
5394 ++ blake2s_init_param(state, 0x01010000 | keylen << 8 | outlen);
5395 ++ memcpy(state->buf, key, keylen);
5396 ++ state->buflen = BLAKE2S_BLOCK_SIZE;
5397 ++ state->outlen = outlen;
5398 ++}
5399 ++
5400 ++static inline void blake2s(u8 *out, const u8 *in, const u8 *key,
5401 ++ const size_t outlen, const size_t inlen,
5402 ++ const size_t keylen)
5403 ++{
5404 ++ struct blake2s_state state;
5405 ++
5406 ++ WARN_ON(IS_ENABLED(DEBUG) && ((!in && inlen > 0) || !out || !outlen ||
5407 ++ outlen > BLAKE2S_HASH_SIZE || keylen > BLAKE2S_KEY_SIZE ||
5408 ++ (!key && keylen)));
5409 ++
5410 ++ if (keylen)
5411 ++ blake2s_init_key(&state, outlen, key, keylen);
5412 ++ else
5413 ++ blake2s_init(&state, outlen);
5414 ++
5415 ++ blake2s_update(&state, in, inlen);
5416 ++ blake2s_final(&state, out);
5417 ++}
5418 ++
5419 ++#endif /* _CRYPTO_BLAKE2S_H */
5420 +diff --git a/include/crypto/chacha20.h b/include/crypto/chacha20.h
5421 +index f76302d99e2be..3dd5ab189543f 100644
5422 +--- a/include/crypto/chacha20.h
5423 ++++ b/include/crypto/chacha20.h
5424 +@@ -24,4 +24,19 @@ int crypto_chacha20_setkey(struct crypto_skcipher *tfm, const u8 *key,
5425 + unsigned int keysize);
5426 + int crypto_chacha20_crypt(struct skcipher_request *req);
5427 +
5428 ++enum chacha_constants { /* expand 32-byte k */
5429 ++ CHACHA_CONSTANT_EXPA = 0x61707865U,
5430 ++ CHACHA_CONSTANT_ND_3 = 0x3320646eU,
5431 ++ CHACHA_CONSTANT_2_BY = 0x79622d32U,
5432 ++ CHACHA_CONSTANT_TE_K = 0x6b206574U
5433 ++};
5434 ++
5435 ++static inline void chacha_init_consts(u32 *state)
5436 ++{
5437 ++ state[0] = CHACHA_CONSTANT_EXPA;
5438 ++ state[1] = CHACHA_CONSTANT_ND_3;
5439 ++ state[2] = CHACHA_CONSTANT_2_BY;
5440 ++ state[3] = CHACHA_CONSTANT_TE_K;
5441 ++}
5442 ++
5443 + #endif
5444 +diff --git a/include/crypto/drbg.h b/include/crypto/drbg.h
5445 +index 3fb581bf3b875..a6c3b8e7deb64 100644
5446 +--- a/include/crypto/drbg.h
5447 ++++ b/include/crypto/drbg.h
5448 +@@ -105,6 +105,12 @@ struct drbg_test_data {
5449 + struct drbg_string *testentropy; /* TEST PARAMETER: test entropy */
5450 + };
5451 +
5452 ++enum drbg_seed_state {
5453 ++ DRBG_SEED_STATE_UNSEEDED,
5454 ++ DRBG_SEED_STATE_PARTIAL, /* Seeded with !rng_is_initialized() */
5455 ++ DRBG_SEED_STATE_FULL,
5456 ++};
5457 ++
5458 + struct drbg_state {
5459 + struct mutex drbg_mutex; /* lock around DRBG */
5460 + unsigned char *V; /* internal state 10.1.1.1 1a) */
5461 +@@ -127,14 +133,14 @@ struct drbg_state {
5462 + struct crypto_wait ctr_wait; /* CTR mode async wait obj */
5463 + struct scatterlist sg_in, sg_out; /* CTR mode SGLs */
5464 +
5465 +- bool seeded; /* DRBG fully seeded? */
5466 ++ enum drbg_seed_state seeded; /* DRBG fully seeded? */
5467 + bool pr; /* Prediction resistance enabled? */
5468 +- struct work_struct seed_work; /* asynchronous seeding support */
5469 ++ bool fips_primed; /* Continuous test primed? */
5470 ++ unsigned char *prev; /* FIPS 140-2 continuous test value */
5471 + struct crypto_rng *jent;
5472 + const struct drbg_state_ops *d_ops;
5473 + const struct drbg_core *core;
5474 + struct drbg_string test_data;
5475 +- struct random_ready_callback random_ready;
5476 + };
5477 +
5478 + static inline __u8 drbg_statelen(struct drbg_state *drbg)
5479 +@@ -182,11 +188,7 @@ static inline size_t drbg_max_addtl(struct drbg_state *drbg)
5480 + static inline size_t drbg_max_requests(struct drbg_state *drbg)
5481 + {
5482 + /* SP800-90A requires 2**48 maximum requests before reseeding */
5483 +-#if (__BITS_PER_LONG == 32)
5484 +- return SIZE_MAX;
5485 +-#else
5486 +- return (1UL<<48);
5487 +-#endif
5488 ++ return (1<<20);
5489 + }
5490 +
5491 + /*
5492 +diff --git a/include/crypto/internal/blake2s.h b/include/crypto/internal/blake2s.h
5493 +new file mode 100644
5494 +index 0000000000000..3ba066845b699
5495 +--- /dev/null
5496 ++++ b/include/crypto/internal/blake2s.h
5497 +@@ -0,0 +1,19 @@
5498 ++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
5499 ++
5500 ++#ifndef _CRYPTO_INTERNAL_BLAKE2S_H
5501 ++#define _CRYPTO_INTERNAL_BLAKE2S_H
5502 ++
5503 ++#include <crypto/blake2s.h>
5504 ++
5505 ++void blake2s_compress_generic(struct blake2s_state *state,const u8 *block,
5506 ++ size_t nblocks, const u32 inc);
5507 ++
5508 ++void blake2s_compress_arch(struct blake2s_state *state,const u8 *block,
5509 ++ size_t nblocks, const u32 inc);
5510 ++
5511 ++static inline void blake2s_set_lastblock(struct blake2s_state *state)
5512 ++{
5513 ++ state->f[0] = -1;
5514 ++}
5515 ++
5516 ++#endif /* _CRYPTO_INTERNAL_BLAKE2S_H */
5517 +diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h
5518 +index b51da879d7be0..60efd9810d536 100644
5519 +--- a/include/linux/cpuhotplug.h
5520 ++++ b/include/linux/cpuhotplug.h
5521 +@@ -60,6 +60,7 @@ enum cpuhp_state {
5522 + CPUHP_LUSTRE_CFS_DEAD,
5523 + CPUHP_AP_ARM_CACHE_B15_RAC_DEAD,
5524 + CPUHP_PADATA_DEAD,
5525 ++ CPUHP_RANDOM_PREPARE,
5526 + CPUHP_WORKQUEUE_PREP,
5527 + CPUHP_POWER_NUMA_PREPARE,
5528 + CPUHP_HRTIMERS_PREPARE,
5529 +@@ -171,6 +172,7 @@ enum cpuhp_state {
5530 + CPUHP_AP_PERF_POWERPC_THREAD_IMC_ONLINE,
5531 + CPUHP_AP_WATCHDOG_ONLINE,
5532 + CPUHP_AP_WORKQUEUE_ONLINE,
5533 ++ CPUHP_AP_RANDOM_ONLINE,
5534 + CPUHP_AP_RCUTREE_ONLINE,
5535 + CPUHP_AP_BASE_CACHEINFO_ONLINE,
5536 + CPUHP_AP_ONLINE_DYN,
5537 +diff --git a/include/linux/hw_random.h b/include/linux/hw_random.h
5538 +index bee0827766a39..31587f36c06e5 100644
5539 +--- a/include/linux/hw_random.h
5540 ++++ b/include/linux/hw_random.h
5541 +@@ -59,7 +59,5 @@ extern int devm_hwrng_register(struct device *dev, struct hwrng *rng);
5542 + /** Unregister a Hardware Random Number Generator driver. */
5543 + extern void hwrng_unregister(struct hwrng *rng);
5544 + extern void devm_hwrng_unregister(struct device *dve, struct hwrng *rng);
5545 +-/** Feed random bits into the pool. */
5546 +-extern void add_hwgenerator_randomness(const char *buffer, size_t count, size_t entropy);
5547 +
5548 + #endif /* LINUX_HWRANDOM_H_ */
5549 +diff --git a/include/linux/mm.h b/include/linux/mm.h
5550 +index c736c677b876d..26a5fba226644 100644
5551 +--- a/include/linux/mm.h
5552 ++++ b/include/linux/mm.h
5553 +@@ -2308,6 +2308,8 @@ extern int install_special_mapping(struct mm_struct *mm,
5554 + unsigned long addr, unsigned long len,
5555 + unsigned long flags, struct page **pages);
5556 +
5557 ++unsigned long randomize_page(unsigned long start, unsigned long range);
5558 ++
5559 + extern unsigned long get_unmapped_area(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
5560 +
5561 + extern unsigned long mmap_region(struct file *file, unsigned long addr,
5562 +diff --git a/include/linux/prandom.h b/include/linux/prandom.h
5563 +index e20339c78a84c..709e8e69fb39b 100644
5564 +--- a/include/linux/prandom.h
5565 ++++ b/include/linux/prandom.h
5566 +@@ -10,6 +10,7 @@
5567 +
5568 + #include <linux/types.h>
5569 + #include <linux/percpu.h>
5570 ++#include <linux/siphash.h>
5571 +
5572 + u32 prandom_u32(void);
5573 + void prandom_bytes(void *buf, size_t nbytes);
5574 +@@ -21,15 +22,10 @@ void prandom_reseed_late(void);
5575 + * The core SipHash round function. Each line can be executed in
5576 + * parallel given enough CPU resources.
5577 + */
5578 +-#define PRND_SIPROUND(v0, v1, v2, v3) ( \
5579 +- v0 += v1, v1 = rol64(v1, 13), v2 += v3, v3 = rol64(v3, 16), \
5580 +- v1 ^= v0, v0 = rol64(v0, 32), v3 ^= v2, \
5581 +- v0 += v3, v3 = rol64(v3, 21), v2 += v1, v1 = rol64(v1, 17), \
5582 +- v3 ^= v0, v1 ^= v2, v2 = rol64(v2, 32) \
5583 +-)
5584 ++#define PRND_SIPROUND(v0, v1, v2, v3) SIPHASH_PERMUTATION(v0, v1, v2, v3)
5585 +
5586 +-#define PRND_K0 (0x736f6d6570736575 ^ 0x6c7967656e657261)
5587 +-#define PRND_K1 (0x646f72616e646f6d ^ 0x7465646279746573)
5588 ++#define PRND_K0 (SIPHASH_CONST_0 ^ SIPHASH_CONST_2)
5589 ++#define PRND_K1 (SIPHASH_CONST_1 ^ SIPHASH_CONST_3)
5590 +
5591 + #elif BITS_PER_LONG == 32
5592 + /*
5593 +@@ -37,14 +33,9 @@ void prandom_reseed_late(void);
5594 + * This is weaker, but 32-bit machines are not used for high-traffic
5595 + * applications, so there is less output for an attacker to analyze.
5596 + */
5597 +-#define PRND_SIPROUND(v0, v1, v2, v3) ( \
5598 +- v0 += v1, v1 = rol32(v1, 5), v2 += v3, v3 = rol32(v3, 8), \
5599 +- v1 ^= v0, v0 = rol32(v0, 16), v3 ^= v2, \
5600 +- v0 += v3, v3 = rol32(v3, 7), v2 += v1, v1 = rol32(v1, 13), \
5601 +- v3 ^= v0, v1 ^= v2, v2 = rol32(v2, 16) \
5602 +-)
5603 +-#define PRND_K0 0x6c796765
5604 +-#define PRND_K1 0x74656462
5605 ++#define PRND_SIPROUND(v0, v1, v2, v3) HSIPHASH_PERMUTATION(v0, v1, v2, v3)
5606 ++#define PRND_K0 (HSIPHASH_CONST_0 ^ HSIPHASH_CONST_2)
5607 ++#define PRND_K1 (HSIPHASH_CONST_1 ^ HSIPHASH_CONST_3)
5608 +
5609 + #else
5610 + #error Unsupported BITS_PER_LONG
5611 +diff --git a/include/linux/random.h b/include/linux/random.h
5612 +index 37209b3b22ae4..3feafab498ad9 100644
5613 +--- a/include/linux/random.h
5614 ++++ b/include/linux/random.h
5615 +@@ -1,50 +1,35 @@
5616 + /* SPDX-License-Identifier: GPL-2.0 */
5617 +-/*
5618 +- * include/linux/random.h
5619 +- *
5620 +- * Include file for the random number generator.
5621 +- */
5622 ++
5623 + #ifndef _LINUX_RANDOM_H
5624 + #define _LINUX_RANDOM_H
5625 +
5626 ++#include <linux/bug.h>
5627 ++#include <linux/kernel.h>
5628 + #include <linux/list.h>
5629 + #include <linux/once.h>
5630 +
5631 + #include <uapi/linux/random.h>
5632 +
5633 +-struct random_ready_callback {
5634 +- struct list_head list;
5635 +- void (*func)(struct random_ready_callback *rdy);
5636 +- struct module *owner;
5637 +-};
5638 ++struct notifier_block;
5639 +
5640 +-extern void add_device_randomness(const void *, unsigned int);
5641 ++void add_device_randomness(const void *buf, size_t len);
5642 ++void __init add_bootloader_randomness(const void *buf, size_t len);
5643 ++void add_input_randomness(unsigned int type, unsigned int code,
5644 ++ unsigned int value) __latent_entropy;
5645 ++void add_interrupt_randomness(int irq) __latent_entropy;
5646 ++void add_hwgenerator_randomness(const void *buf, size_t len, size_t entropy);
5647 +
5648 +-#if defined(CONFIG_GCC_PLUGIN_LATENT_ENTROPY) && !defined(__CHECKER__)
5649 ++#if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
5650 + static inline void add_latent_entropy(void)
5651 + {
5652 +- add_device_randomness((const void *)&latent_entropy,
5653 +- sizeof(latent_entropy));
5654 ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
5655 + }
5656 + #else
5657 +-static inline void add_latent_entropy(void) {}
5658 +-#endif
5659 +-
5660 +-extern void add_input_randomness(unsigned int type, unsigned int code,
5661 +- unsigned int value) __latent_entropy;
5662 +-extern void add_interrupt_randomness(int irq, int irq_flags) __latent_entropy;
5663 +-
5664 +-extern void get_random_bytes(void *buf, int nbytes);
5665 +-extern int wait_for_random_bytes(void);
5666 +-extern bool rng_is_initialized(void);
5667 +-extern int add_random_ready_callback(struct random_ready_callback *rdy);
5668 +-extern void del_random_ready_callback(struct random_ready_callback *rdy);
5669 +-extern int __must_check get_random_bytes_arch(void *buf, int nbytes);
5670 +-
5671 +-#ifndef MODULE
5672 +-extern const struct file_operations random_fops, urandom_fops;
5673 ++static inline void add_latent_entropy(void) { }
5674 + #endif
5675 +
5676 ++void get_random_bytes(void *buf, size_t len);
5677 ++size_t __must_check get_random_bytes_arch(void *buf, size_t len);
5678 + u32 get_random_u32(void);
5679 + u64 get_random_u64(void);
5680 + static inline unsigned int get_random_int(void)
5681 +@@ -76,36 +61,38 @@ static inline unsigned long get_random_long(void)
5682 +
5683 + static inline unsigned long get_random_canary(void)
5684 + {
5685 +- unsigned long val = get_random_long();
5686 +-
5687 +- return val & CANARY_MASK;
5688 ++ return get_random_long() & CANARY_MASK;
5689 + }
5690 +
5691 ++int __init random_init(const char *command_line);
5692 ++bool rng_is_initialized(void);
5693 ++int wait_for_random_bytes(void);
5694 ++int register_random_ready_notifier(struct notifier_block *nb);
5695 ++int unregister_random_ready_notifier(struct notifier_block *nb);
5696 ++
5697 + /* Calls wait_for_random_bytes() and then calls get_random_bytes(buf, nbytes).
5698 + * Returns the result of the call to wait_for_random_bytes. */
5699 +-static inline int get_random_bytes_wait(void *buf, int nbytes)
5700 ++static inline int get_random_bytes_wait(void *buf, size_t nbytes)
5701 + {
5702 + int ret = wait_for_random_bytes();
5703 + get_random_bytes(buf, nbytes);
5704 + return ret;
5705 + }
5706 +
5707 +-#define declare_get_random_var_wait(var) \
5708 +- static inline int get_random_ ## var ## _wait(var *out) { \
5709 ++#define declare_get_random_var_wait(name, ret_type) \
5710 ++ static inline int get_random_ ## name ## _wait(ret_type *out) { \
5711 + int ret = wait_for_random_bytes(); \
5712 + if (unlikely(ret)) \
5713 + return ret; \
5714 +- *out = get_random_ ## var(); \
5715 ++ *out = get_random_ ## name(); \
5716 + return 0; \
5717 + }
5718 +-declare_get_random_var_wait(u32)
5719 +-declare_get_random_var_wait(u64)
5720 +-declare_get_random_var_wait(int)
5721 +-declare_get_random_var_wait(long)
5722 ++declare_get_random_var_wait(u32, u32)
5723 ++declare_get_random_var_wait(u64, u32)
5724 ++declare_get_random_var_wait(int, unsigned int)
5725 ++declare_get_random_var_wait(long, unsigned long)
5726 + #undef declare_get_random_var
5727 +
5728 +-unsigned long randomize_page(unsigned long start, unsigned long range);
5729 +-
5730 + /*
5731 + * This is designed to be standalone for just prandom
5732 + * users, but for now we include it from <linux/random.h>
5733 +@@ -116,30 +103,39 @@ unsigned long randomize_page(unsigned long start, unsigned long range);
5734 + #ifdef CONFIG_ARCH_RANDOM
5735 + # include <asm/archrandom.h>
5736 + #else
5737 +-static inline bool arch_get_random_long(unsigned long *v)
5738 +-{
5739 +- return 0;
5740 +-}
5741 +-static inline bool arch_get_random_int(unsigned int *v)
5742 +-{
5743 +- return 0;
5744 +-}
5745 +-static inline bool arch_has_random(void)
5746 +-{
5747 +- return 0;
5748 +-}
5749 +-static inline bool arch_get_random_seed_long(unsigned long *v)
5750 +-{
5751 +- return 0;
5752 +-}
5753 +-static inline bool arch_get_random_seed_int(unsigned int *v)
5754 ++static inline bool __must_check arch_get_random_long(unsigned long *v) { return false; }
5755 ++static inline bool __must_check arch_get_random_int(unsigned int *v) { return false; }
5756 ++static inline bool __must_check arch_get_random_seed_long(unsigned long *v) { return false; }
5757 ++static inline bool __must_check arch_get_random_seed_int(unsigned int *v) { return false; }
5758 ++#endif
5759 ++
5760 ++/*
5761 ++ * Called from the boot CPU during startup; not valid to call once
5762 ++ * secondary CPUs are up and preemption is possible.
5763 ++ */
5764 ++#ifndef arch_get_random_seed_long_early
5765 ++static inline bool __init arch_get_random_seed_long_early(unsigned long *v)
5766 + {
5767 +- return 0;
5768 ++ WARN_ON(system_state != SYSTEM_BOOTING);
5769 ++ return arch_get_random_seed_long(v);
5770 + }
5771 +-static inline bool arch_has_random_seed(void)
5772 ++#endif
5773 ++
5774 ++#ifndef arch_get_random_long_early
5775 ++static inline bool __init arch_get_random_long_early(unsigned long *v)
5776 + {
5777 +- return 0;
5778 ++ WARN_ON(system_state != SYSTEM_BOOTING);
5779 ++ return arch_get_random_long(v);
5780 + }
5781 + #endif
5782 +
5783 ++#ifdef CONFIG_SMP
5784 ++int random_prepare_cpu(unsigned int cpu);
5785 ++int random_online_cpu(unsigned int cpu);
5786 ++#endif
5787 ++
5788 ++#ifndef MODULE
5789 ++extern const struct file_operations random_fops, urandom_fops;
5790 ++#endif
5791 ++
5792 + #endif /* _LINUX_RANDOM_H */
5793 +diff --git a/include/linux/siphash.h b/include/linux/siphash.h
5794 +index 0cda61855d907..0bb5ecd507bef 100644
5795 +--- a/include/linux/siphash.h
5796 ++++ b/include/linux/siphash.h
5797 +@@ -136,4 +136,32 @@ static inline u32 hsiphash(const void *data, size_t len,
5798 + return ___hsiphash_aligned(data, len, key);
5799 + }
5800 +
5801 ++/*
5802 ++ * These macros expose the raw SipHash and HalfSipHash permutations.
5803 ++ * Do not use them directly! If you think you have a use for them,
5804 ++ * be sure to CC the maintainer of this file explaining why.
5805 ++ */
5806 ++
5807 ++#define SIPHASH_PERMUTATION(a, b, c, d) ( \
5808 ++ (a) += (b), (b) = rol64((b), 13), (b) ^= (a), (a) = rol64((a), 32), \
5809 ++ (c) += (d), (d) = rol64((d), 16), (d) ^= (c), \
5810 ++ (a) += (d), (d) = rol64((d), 21), (d) ^= (a), \
5811 ++ (c) += (b), (b) = rol64((b), 17), (b) ^= (c), (c) = rol64((c), 32))
5812 ++
5813 ++#define SIPHASH_CONST_0 0x736f6d6570736575ULL
5814 ++#define SIPHASH_CONST_1 0x646f72616e646f6dULL
5815 ++#define SIPHASH_CONST_2 0x6c7967656e657261ULL
5816 ++#define SIPHASH_CONST_3 0x7465646279746573ULL
5817 ++
5818 ++#define HSIPHASH_PERMUTATION(a, b, c, d) ( \
5819 ++ (a) += (b), (b) = rol32((b), 5), (b) ^= (a), (a) = rol32((a), 16), \
5820 ++ (c) += (d), (d) = rol32((d), 8), (d) ^= (c), \
5821 ++ (a) += (d), (d) = rol32((d), 7), (d) ^= (a), \
5822 ++ (c) += (b), (b) = rol32((b), 13), (b) ^= (c), (c) = rol32((c), 16))
5823 ++
5824 ++#define HSIPHASH_CONST_0 0U
5825 ++#define HSIPHASH_CONST_1 0U
5826 ++#define HSIPHASH_CONST_2 0x6c796765U
5827 ++#define HSIPHASH_CONST_3 0x74656462U
5828 ++
5829 + #endif /* _LINUX_SIPHASH_H */
5830 +diff --git a/include/linux/timex.h b/include/linux/timex.h
5831 +index 39c25dbebfe80..c7616cfb48d20 100644
5832 +--- a/include/linux/timex.h
5833 ++++ b/include/linux/timex.h
5834 +@@ -62,6 +62,8 @@
5835 + #include <linux/types.h>
5836 + #include <linux/param.h>
5837 +
5838 ++unsigned long random_get_entropy_fallback(void);
5839 ++
5840 + #include <asm/timex.h>
5841 +
5842 + #ifndef random_get_entropy
5843 +@@ -74,8 +76,14 @@
5844 + *
5845 + * By default we use get_cycles() for this purpose, but individual
5846 + * architectures may override this in their asm/timex.h header file.
5847 ++ * If a given arch does not have get_cycles(), then we fallback to
5848 ++ * using random_get_entropy_fallback().
5849 + */
5850 +-#define random_get_entropy() get_cycles()
5851 ++#ifdef get_cycles
5852 ++#define random_get_entropy() ((unsigned long)get_cycles())
5853 ++#else
5854 ++#define random_get_entropy() random_get_entropy_fallback()
5855 ++#endif
5856 + #endif
5857 +
5858 + /*
5859 +diff --git a/include/trace/events/random.h b/include/trace/events/random.h
5860 +deleted file mode 100644
5861 +index 0560dfc33f1c3..0000000000000
5862 +--- a/include/trace/events/random.h
5863 ++++ /dev/null
5864 +@@ -1,316 +0,0 @@
5865 +-/* SPDX-License-Identifier: GPL-2.0 */
5866 +-#undef TRACE_SYSTEM
5867 +-#define TRACE_SYSTEM random
5868 +-
5869 +-#if !defined(_TRACE_RANDOM_H) || defined(TRACE_HEADER_MULTI_READ)
5870 +-#define _TRACE_RANDOM_H
5871 +-
5872 +-#include <linux/writeback.h>
5873 +-#include <linux/tracepoint.h>
5874 +-
5875 +-TRACE_EVENT(add_device_randomness,
5876 +- TP_PROTO(int bytes, unsigned long IP),
5877 +-
5878 +- TP_ARGS(bytes, IP),
5879 +-
5880 +- TP_STRUCT__entry(
5881 +- __field( int, bytes )
5882 +- __field(unsigned long, IP )
5883 +- ),
5884 +-
5885 +- TP_fast_assign(
5886 +- __entry->bytes = bytes;
5887 +- __entry->IP = IP;
5888 +- ),
5889 +-
5890 +- TP_printk("bytes %d caller %pS",
5891 +- __entry->bytes, (void *)__entry->IP)
5892 +-);
5893 +-
5894 +-DECLARE_EVENT_CLASS(random__mix_pool_bytes,
5895 +- TP_PROTO(const char *pool_name, int bytes, unsigned long IP),
5896 +-
5897 +- TP_ARGS(pool_name, bytes, IP),
5898 +-
5899 +- TP_STRUCT__entry(
5900 +- __field( const char *, pool_name )
5901 +- __field( int, bytes )
5902 +- __field(unsigned long, IP )
5903 +- ),
5904 +-
5905 +- TP_fast_assign(
5906 +- __entry->pool_name = pool_name;
5907 +- __entry->bytes = bytes;
5908 +- __entry->IP = IP;
5909 +- ),
5910 +-
5911 +- TP_printk("%s pool: bytes %d caller %pS",
5912 +- __entry->pool_name, __entry->bytes, (void *)__entry->IP)
5913 +-);
5914 +-
5915 +-DEFINE_EVENT(random__mix_pool_bytes, mix_pool_bytes,
5916 +- TP_PROTO(const char *pool_name, int bytes, unsigned long IP),
5917 +-
5918 +- TP_ARGS(pool_name, bytes, IP)
5919 +-);
5920 +-
5921 +-DEFINE_EVENT(random__mix_pool_bytes, mix_pool_bytes_nolock,
5922 +- TP_PROTO(const char *pool_name, int bytes, unsigned long IP),
5923 +-
5924 +- TP_ARGS(pool_name, bytes, IP)
5925 +-);
5926 +-
5927 +-TRACE_EVENT(credit_entropy_bits,
5928 +- TP_PROTO(const char *pool_name, int bits, int entropy_count,
5929 +- int entropy_total, unsigned long IP),
5930 +-
5931 +- TP_ARGS(pool_name, bits, entropy_count, entropy_total, IP),
5932 +-
5933 +- TP_STRUCT__entry(
5934 +- __field( const char *, pool_name )
5935 +- __field( int, bits )
5936 +- __field( int, entropy_count )
5937 +- __field( int, entropy_total )
5938 +- __field(unsigned long, IP )
5939 +- ),
5940 +-
5941 +- TP_fast_assign(
5942 +- __entry->pool_name = pool_name;
5943 +- __entry->bits = bits;
5944 +- __entry->entropy_count = entropy_count;
5945 +- __entry->entropy_total = entropy_total;
5946 +- __entry->IP = IP;
5947 +- ),
5948 +-
5949 +- TP_printk("%s pool: bits %d entropy_count %d entropy_total %d "
5950 +- "caller %pS", __entry->pool_name, __entry->bits,
5951 +- __entry->entropy_count, __entry->entropy_total,
5952 +- (void *)__entry->IP)
5953 +-);
5954 +-
5955 +-TRACE_EVENT(push_to_pool,
5956 +- TP_PROTO(const char *pool_name, int pool_bits, int input_bits),
5957 +-
5958 +- TP_ARGS(pool_name, pool_bits, input_bits),
5959 +-
5960 +- TP_STRUCT__entry(
5961 +- __field( const char *, pool_name )
5962 +- __field( int, pool_bits )
5963 +- __field( int, input_bits )
5964 +- ),
5965 +-
5966 +- TP_fast_assign(
5967 +- __entry->pool_name = pool_name;
5968 +- __entry->pool_bits = pool_bits;
5969 +- __entry->input_bits = input_bits;
5970 +- ),
5971 +-
5972 +- TP_printk("%s: pool_bits %d input_pool_bits %d",
5973 +- __entry->pool_name, __entry->pool_bits,
5974 +- __entry->input_bits)
5975 +-);
5976 +-
5977 +-TRACE_EVENT(debit_entropy,
5978 +- TP_PROTO(const char *pool_name, int debit_bits),
5979 +-
5980 +- TP_ARGS(pool_name, debit_bits),
5981 +-
5982 +- TP_STRUCT__entry(
5983 +- __field( const char *, pool_name )
5984 +- __field( int, debit_bits )
5985 +- ),
5986 +-
5987 +- TP_fast_assign(
5988 +- __entry->pool_name = pool_name;
5989 +- __entry->debit_bits = debit_bits;
5990 +- ),
5991 +-
5992 +- TP_printk("%s: debit_bits %d", __entry->pool_name,
5993 +- __entry->debit_bits)
5994 +-);
5995 +-
5996 +-TRACE_EVENT(add_input_randomness,
5997 +- TP_PROTO(int input_bits),
5998 +-
5999 +- TP_ARGS(input_bits),
6000 +-
6001 +- TP_STRUCT__entry(
6002 +- __field( int, input_bits )
6003 +- ),
6004 +-
6005 +- TP_fast_assign(
6006 +- __entry->input_bits = input_bits;
6007 +- ),
6008 +-
6009 +- TP_printk("input_pool_bits %d", __entry->input_bits)
6010 +-);
6011 +-
6012 +-TRACE_EVENT(add_disk_randomness,
6013 +- TP_PROTO(dev_t dev, int input_bits),
6014 +-
6015 +- TP_ARGS(dev, input_bits),
6016 +-
6017 +- TP_STRUCT__entry(
6018 +- __field( dev_t, dev )
6019 +- __field( int, input_bits )
6020 +- ),
6021 +-
6022 +- TP_fast_assign(
6023 +- __entry->dev = dev;
6024 +- __entry->input_bits = input_bits;
6025 +- ),
6026 +-
6027 +- TP_printk("dev %d,%d input_pool_bits %d", MAJOR(__entry->dev),
6028 +- MINOR(__entry->dev), __entry->input_bits)
6029 +-);
6030 +-
6031 +-TRACE_EVENT(xfer_secondary_pool,
6032 +- TP_PROTO(const char *pool_name, int xfer_bits, int request_bits,
6033 +- int pool_entropy, int input_entropy),
6034 +-
6035 +- TP_ARGS(pool_name, xfer_bits, request_bits, pool_entropy,
6036 +- input_entropy),
6037 +-
6038 +- TP_STRUCT__entry(
6039 +- __field( const char *, pool_name )
6040 +- __field( int, xfer_bits )
6041 +- __field( int, request_bits )
6042 +- __field( int, pool_entropy )
6043 +- __field( int, input_entropy )
6044 +- ),
6045 +-
6046 +- TP_fast_assign(
6047 +- __entry->pool_name = pool_name;
6048 +- __entry->xfer_bits = xfer_bits;
6049 +- __entry->request_bits = request_bits;
6050 +- __entry->pool_entropy = pool_entropy;
6051 +- __entry->input_entropy = input_entropy;
6052 +- ),
6053 +-
6054 +- TP_printk("pool %s xfer_bits %d request_bits %d pool_entropy %d "
6055 +- "input_entropy %d", __entry->pool_name, __entry->xfer_bits,
6056 +- __entry->request_bits, __entry->pool_entropy,
6057 +- __entry->input_entropy)
6058 +-);
6059 +-
6060 +-DECLARE_EVENT_CLASS(random__get_random_bytes,
6061 +- TP_PROTO(int nbytes, unsigned long IP),
6062 +-
6063 +- TP_ARGS(nbytes, IP),
6064 +-
6065 +- TP_STRUCT__entry(
6066 +- __field( int, nbytes )
6067 +- __field(unsigned long, IP )
6068 +- ),
6069 +-
6070 +- TP_fast_assign(
6071 +- __entry->nbytes = nbytes;
6072 +- __entry->IP = IP;
6073 +- ),
6074 +-
6075 +- TP_printk("nbytes %d caller %pS", __entry->nbytes, (void *)__entry->IP)
6076 +-);
6077 +-
6078 +-DEFINE_EVENT(random__get_random_bytes, get_random_bytes,
6079 +- TP_PROTO(int nbytes, unsigned long IP),
6080 +-
6081 +- TP_ARGS(nbytes, IP)
6082 +-);
6083 +-
6084 +-DEFINE_EVENT(random__get_random_bytes, get_random_bytes_arch,
6085 +- TP_PROTO(int nbytes, unsigned long IP),
6086 +-
6087 +- TP_ARGS(nbytes, IP)
6088 +-);
6089 +-
6090 +-DECLARE_EVENT_CLASS(random__extract_entropy,
6091 +- TP_PROTO(const char *pool_name, int nbytes, int entropy_count,
6092 +- unsigned long IP),
6093 +-
6094 +- TP_ARGS(pool_name, nbytes, entropy_count, IP),
6095 +-
6096 +- TP_STRUCT__entry(
6097 +- __field( const char *, pool_name )
6098 +- __field( int, nbytes )
6099 +- __field( int, entropy_count )
6100 +- __field(unsigned long, IP )
6101 +- ),
6102 +-
6103 +- TP_fast_assign(
6104 +- __entry->pool_name = pool_name;
6105 +- __entry->nbytes = nbytes;
6106 +- __entry->entropy_count = entropy_count;
6107 +- __entry->IP = IP;
6108 +- ),
6109 +-
6110 +- TP_printk("%s pool: nbytes %d entropy_count %d caller %pS",
6111 +- __entry->pool_name, __entry->nbytes, __entry->entropy_count,
6112 +- (void *)__entry->IP)
6113 +-);
6114 +-
6115 +-
6116 +-DEFINE_EVENT(random__extract_entropy, extract_entropy,
6117 +- TP_PROTO(const char *pool_name, int nbytes, int entropy_count,
6118 +- unsigned long IP),
6119 +-
6120 +- TP_ARGS(pool_name, nbytes, entropy_count, IP)
6121 +-);
6122 +-
6123 +-DEFINE_EVENT(random__extract_entropy, extract_entropy_user,
6124 +- TP_PROTO(const char *pool_name, int nbytes, int entropy_count,
6125 +- unsigned long IP),
6126 +-
6127 +- TP_ARGS(pool_name, nbytes, entropy_count, IP)
6128 +-);
6129 +-
6130 +-TRACE_EVENT(random_read,
6131 +- TP_PROTO(int got_bits, int need_bits, int pool_left, int input_left),
6132 +-
6133 +- TP_ARGS(got_bits, need_bits, pool_left, input_left),
6134 +-
6135 +- TP_STRUCT__entry(
6136 +- __field( int, got_bits )
6137 +- __field( int, need_bits )
6138 +- __field( int, pool_left )
6139 +- __field( int, input_left )
6140 +- ),
6141 +-
6142 +- TP_fast_assign(
6143 +- __entry->got_bits = got_bits;
6144 +- __entry->need_bits = need_bits;
6145 +- __entry->pool_left = pool_left;
6146 +- __entry->input_left = input_left;
6147 +- ),
6148 +-
6149 +- TP_printk("got_bits %d still_needed_bits %d "
6150 +- "blocking_pool_entropy_left %d input_entropy_left %d",
6151 +- __entry->got_bits, __entry->got_bits, __entry->pool_left,
6152 +- __entry->input_left)
6153 +-);
6154 +-
6155 +-TRACE_EVENT(urandom_read,
6156 +- TP_PROTO(int got_bits, int pool_left, int input_left),
6157 +-
6158 +- TP_ARGS(got_bits, pool_left, input_left),
6159 +-
6160 +- TP_STRUCT__entry(
6161 +- __field( int, got_bits )
6162 +- __field( int, pool_left )
6163 +- __field( int, input_left )
6164 +- ),
6165 +-
6166 +- TP_fast_assign(
6167 +- __entry->got_bits = got_bits;
6168 +- __entry->pool_left = pool_left;
6169 +- __entry->input_left = input_left;
6170 +- ),
6171 +-
6172 +- TP_printk("got_bits %d nonblocking_pool_entropy_left %d "
6173 +- "input_entropy_left %d", __entry->got_bits,
6174 +- __entry->pool_left, __entry->input_left)
6175 +-);
6176 +-
6177 +-#endif /* _TRACE_RANDOM_H */
6178 +-
6179 +-/* This part must be outside protection */
6180 +-#include <trace/define_trace.h>
6181 +diff --git a/include/uapi/linux/random.h b/include/uapi/linux/random.h
6182 +index 26ee91300e3ec..dcc1b3e6106fe 100644
6183 +--- a/include/uapi/linux/random.h
6184 ++++ b/include/uapi/linux/random.h
6185 +@@ -48,9 +48,11 @@ struct rand_pool_info {
6186 + * Flags for getrandom(2)
6187 + *
6188 + * GRND_NONBLOCK Don't block and return EAGAIN instead
6189 +- * GRND_RANDOM Use the /dev/random pool instead of /dev/urandom
6190 ++ * GRND_RANDOM No effect
6191 ++ * GRND_INSECURE Return non-cryptographic random bytes
6192 + */
6193 + #define GRND_NONBLOCK 0x0001
6194 + #define GRND_RANDOM 0x0002
6195 ++#define GRND_INSECURE 0x0004
6196 +
6197 + #endif /* _UAPI_LINUX_RANDOM_H */
6198 +diff --git a/init/main.c b/init/main.c
6199 +index 272ec131211c0..489a5aa7ba53c 100644
6200 +--- a/init/main.c
6201 ++++ b/init/main.c
6202 +@@ -549,13 +549,6 @@ asmlinkage __visible void __init start_kernel(void)
6203 + page_address_init();
6204 + pr_notice("%s", linux_banner);
6205 + setup_arch(&command_line);
6206 +- /*
6207 +- * Set up the the initial canary and entropy after arch
6208 +- * and after adding latent and command line entropy.
6209 +- */
6210 +- add_latent_entropy();
6211 +- add_device_randomness(command_line, strlen(command_line));
6212 +- boot_init_stack_canary();
6213 + mm_init_cpumask(&init_mm);
6214 + setup_command_line(command_line);
6215 + setup_nr_cpu_ids();
6216 +@@ -641,6 +634,17 @@ asmlinkage __visible void __init start_kernel(void)
6217 + softirq_init();
6218 + timekeeping_init();
6219 + time_init();
6220 ++
6221 ++ /*
6222 ++ * For best initial stack canary entropy, prepare it after:
6223 ++ * - setup_arch() for any UEFI RNG entropy and boot cmdline access
6224 ++ * - timekeeping_init() for ktime entropy used in random_init()
6225 ++ * - time_init() for making random_get_entropy() work on some platforms
6226 ++ * - random_init() to initialize the RNG from from early entropy sources
6227 ++ */
6228 ++ random_init(command_line);
6229 ++ boot_init_stack_canary();
6230 ++
6231 + perf_event_init();
6232 + profile_init();
6233 + call_function_init();
6234 +diff --git a/kernel/cpu.c b/kernel/cpu.c
6235 +index d6fd362afc81f..c9ca190ec0347 100644
6236 +--- a/kernel/cpu.c
6237 ++++ b/kernel/cpu.c
6238 +@@ -32,6 +32,7 @@
6239 + #include <linux/slab.h>
6240 + #include <linux/percpu-rwsem.h>
6241 + #include <linux/cpuset.h>
6242 ++#include <linux/random.h>
6243 +
6244 + #include <trace/events/power.h>
6245 + #define CREATE_TRACE_POINTS
6246 +@@ -1404,6 +1405,11 @@ static struct cpuhp_step cpuhp_hp_states[] = {
6247 + .startup.single = perf_event_init_cpu,
6248 + .teardown.single = perf_event_exit_cpu,
6249 + },
6250 ++ [CPUHP_RANDOM_PREPARE] = {
6251 ++ .name = "random:prepare",
6252 ++ .startup.single = random_prepare_cpu,
6253 ++ .teardown.single = NULL,
6254 ++ },
6255 + [CPUHP_WORKQUEUE_PREP] = {
6256 + .name = "workqueue:prepare",
6257 + .startup.single = workqueue_prepare_cpu,
6258 +@@ -1520,6 +1526,11 @@ static struct cpuhp_step cpuhp_hp_states[] = {
6259 + .startup.single = workqueue_online_cpu,
6260 + .teardown.single = workqueue_offline_cpu,
6261 + },
6262 ++ [CPUHP_AP_RANDOM_ONLINE] = {
6263 ++ .name = "random:online",
6264 ++ .startup.single = random_online_cpu,
6265 ++ .teardown.single = NULL,
6266 ++ },
6267 + [CPUHP_AP_RCUTREE_ONLINE] = {
6268 + .name = "RCU/tree:online",
6269 + .startup.single = rcutree_online_cpu,
6270 +diff --git a/kernel/irq/handle.c b/kernel/irq/handle.c
6271 +index 38554bc353755..e2f7afcb1ae69 100644
6272 +--- a/kernel/irq/handle.c
6273 ++++ b/kernel/irq/handle.c
6274 +@@ -188,7 +188,7 @@ irqreturn_t handle_irq_event_percpu(struct irq_desc *desc)
6275 +
6276 + retval = __handle_irq_event_percpu(desc, &flags);
6277 +
6278 +- add_interrupt_randomness(desc->irq_data.irq, flags);
6279 ++ add_interrupt_randomness(desc->irq_data.irq);
6280 +
6281 + if (!noirqdebug)
6282 + note_interrupt(desc, retval);
6283 +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
6284 +index f246818e35dbc..087f71183c3f2 100644
6285 +--- a/kernel/time/timekeeping.c
6286 ++++ b/kernel/time/timekeeping.c
6287 +@@ -22,6 +22,7 @@
6288 + #include <linux/clocksource.h>
6289 + #include <linux/jiffies.h>
6290 + #include <linux/time.h>
6291 ++#include <linux/timex.h>
6292 + #include <linux/tick.h>
6293 + #include <linux/stop_machine.h>
6294 + #include <linux/pvclock_gtod.h>
6295 +@@ -2308,6 +2309,20 @@ static int timekeeping_validate_timex(const struct timex *txc)
6296 + return 0;
6297 + }
6298 +
6299 ++/**
6300 ++ * random_get_entropy_fallback - Returns the raw clock source value,
6301 ++ * used by random.c for platforms with no valid random_get_entropy().
6302 ++ */
6303 ++unsigned long random_get_entropy_fallback(void)
6304 ++{
6305 ++ struct tk_read_base *tkr = &tk_core.timekeeper.tkr_mono;
6306 ++ struct clocksource *clock = READ_ONCE(tkr->clock);
6307 ++
6308 ++ if (unlikely(timekeeping_suspended || !clock))
6309 ++ return 0;
6310 ++ return clock->read(clock);
6311 ++}
6312 ++EXPORT_SYMBOL_GPL(random_get_entropy_fallback);
6313 +
6314 + /**
6315 + * do_adjtimex() - Accessor function to NTP __do_adjtimex function
6316 +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
6317 +index 621859a453f82..9a4277034c647 100644
6318 +--- a/lib/Kconfig.debug
6319 ++++ b/lib/Kconfig.debug
6320 +@@ -1277,8 +1277,7 @@ config WARN_ALL_UNSEEDED_RANDOM
6321 + so architecture maintainers really need to do what they can
6322 + to get the CRNG seeded sooner after the system is booted.
6323 + However, since users cannot do anything actionable to
6324 +- address this, by default the kernel will issue only a single
6325 +- warning for the first use of unseeded randomness.
6326 ++ address this, by default this option is disabled.
6327 +
6328 + Say Y here if you want to receive warnings for all uses of
6329 + unseeded randomness. This will be of use primarily for
6330 +diff --git a/lib/Makefile b/lib/Makefile
6331 +index 1d7a705d72074..e08544c509a84 100644
6332 +--- a/lib/Makefile
6333 ++++ b/lib/Makefile
6334 +@@ -283,3 +283,5 @@ obj-$(CONFIG_GENERIC_LIB_LSHRDI3) += lshrdi3.o
6335 + obj-$(CONFIG_GENERIC_LIB_MULDI3) += muldi3.o
6336 + obj-$(CONFIG_GENERIC_LIB_CMPDI2) += cmpdi2.o
6337 + obj-$(CONFIG_GENERIC_LIB_UCMPDI2) += ucmpdi2.o
6338 ++
6339 ++obj-y += crypto/
6340 +diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
6341 +new file mode 100644
6342 +index 0000000000000..d0bca68618f03
6343 +--- /dev/null
6344 ++++ b/lib/crypto/Makefile
6345 +@@ -0,0 +1,7 @@
6346 ++# SPDX-License-Identifier: GPL-2.0
6347 ++
6348 ++obj-y += libblake2s.o
6349 ++libblake2s-y += blake2s.o blake2s-generic.o
6350 ++ifneq ($(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS),y)
6351 ++libblake2s-y += blake2s-selftest.o
6352 ++endif
6353 +diff --git a/lib/crypto/blake2s-generic.c b/lib/crypto/blake2s-generic.c
6354 +new file mode 100644
6355 +index 0000000000000..04ff8df245136
6356 +--- /dev/null
6357 ++++ b/lib/crypto/blake2s-generic.c
6358 +@@ -0,0 +1,111 @@
6359 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
6360 ++/*
6361 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
6362 ++ *
6363 ++ * This is an implementation of the BLAKE2s hash and PRF functions.
6364 ++ *
6365 ++ * Information: https://blake2.net/
6366 ++ *
6367 ++ */
6368 ++
6369 ++#include <crypto/internal/blake2s.h>
6370 ++#include <linux/types.h>
6371 ++#include <linux/string.h>
6372 ++#include <linux/kernel.h>
6373 ++#include <linux/module.h>
6374 ++#include <linux/init.h>
6375 ++#include <linux/bug.h>
6376 ++#include <asm/unaligned.h>
6377 ++
6378 ++static const u8 blake2s_sigma[10][16] = {
6379 ++ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
6380 ++ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
6381 ++ { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
6382 ++ { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
6383 ++ { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
6384 ++ { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
6385 ++ { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
6386 ++ { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
6387 ++ { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
6388 ++ { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
6389 ++};
6390 ++
6391 ++static inline void blake2s_increment_counter(struct blake2s_state *state,
6392 ++ const u32 inc)
6393 ++{
6394 ++ state->t[0] += inc;
6395 ++ state->t[1] += (state->t[0] < inc);
6396 ++}
6397 ++
6398 ++void blake2s_compress_generic(struct blake2s_state *state,const u8 *block,
6399 ++ size_t nblocks, const u32 inc)
6400 ++{
6401 ++ u32 m[16];
6402 ++ u32 v[16];
6403 ++ int i;
6404 ++
6405 ++ WARN_ON(IS_ENABLED(DEBUG) &&
6406 ++ (nblocks > 1 && inc != BLAKE2S_BLOCK_SIZE));
6407 ++
6408 ++ while (nblocks > 0) {
6409 ++ blake2s_increment_counter(state, inc);
6410 ++ memcpy(m, block, BLAKE2S_BLOCK_SIZE);
6411 ++ le32_to_cpu_array(m, ARRAY_SIZE(m));
6412 ++ memcpy(v, state->h, 32);
6413 ++ v[ 8] = BLAKE2S_IV0;
6414 ++ v[ 9] = BLAKE2S_IV1;
6415 ++ v[10] = BLAKE2S_IV2;
6416 ++ v[11] = BLAKE2S_IV3;
6417 ++ v[12] = BLAKE2S_IV4 ^ state->t[0];
6418 ++ v[13] = BLAKE2S_IV5 ^ state->t[1];
6419 ++ v[14] = BLAKE2S_IV6 ^ state->f[0];
6420 ++ v[15] = BLAKE2S_IV7 ^ state->f[1];
6421 ++
6422 ++#define G(r, i, a, b, c, d) do { \
6423 ++ a += b + m[blake2s_sigma[r][2 * i + 0]]; \
6424 ++ d = ror32(d ^ a, 16); \
6425 ++ c += d; \
6426 ++ b = ror32(b ^ c, 12); \
6427 ++ a += b + m[blake2s_sigma[r][2 * i + 1]]; \
6428 ++ d = ror32(d ^ a, 8); \
6429 ++ c += d; \
6430 ++ b = ror32(b ^ c, 7); \
6431 ++} while (0)
6432 ++
6433 ++#define ROUND(r) do { \
6434 ++ G(r, 0, v[0], v[ 4], v[ 8], v[12]); \
6435 ++ G(r, 1, v[1], v[ 5], v[ 9], v[13]); \
6436 ++ G(r, 2, v[2], v[ 6], v[10], v[14]); \
6437 ++ G(r, 3, v[3], v[ 7], v[11], v[15]); \
6438 ++ G(r, 4, v[0], v[ 5], v[10], v[15]); \
6439 ++ G(r, 5, v[1], v[ 6], v[11], v[12]); \
6440 ++ G(r, 6, v[2], v[ 7], v[ 8], v[13]); \
6441 ++ G(r, 7, v[3], v[ 4], v[ 9], v[14]); \
6442 ++} while (0)
6443 ++ ROUND(0);
6444 ++ ROUND(1);
6445 ++ ROUND(2);
6446 ++ ROUND(3);
6447 ++ ROUND(4);
6448 ++ ROUND(5);
6449 ++ ROUND(6);
6450 ++ ROUND(7);
6451 ++ ROUND(8);
6452 ++ ROUND(9);
6453 ++
6454 ++#undef G
6455 ++#undef ROUND
6456 ++
6457 ++ for (i = 0; i < 8; ++i)
6458 ++ state->h[i] ^= v[i] ^ v[i + 8];
6459 ++
6460 ++ block += BLAKE2S_BLOCK_SIZE;
6461 ++ --nblocks;
6462 ++ }
6463 ++}
6464 ++
6465 ++EXPORT_SYMBOL(blake2s_compress_generic);
6466 ++
6467 ++MODULE_LICENSE("GPL v2");
6468 ++MODULE_DESCRIPTION("BLAKE2s hash function");
6469 ++MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
6470 +diff --git a/lib/crypto/blake2s-selftest.c b/lib/crypto/blake2s-selftest.c
6471 +new file mode 100644
6472 +index 0000000000000..7a9edc96ddddf
6473 +--- /dev/null
6474 ++++ b/lib/crypto/blake2s-selftest.c
6475 +@@ -0,0 +1,591 @@
6476 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
6477 ++/*
6478 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
6479 ++ */
6480 ++
6481 ++#include <crypto/blake2s.h>
6482 ++#include <linux/string.h>
6483 ++
6484 ++/*
6485 ++ * blake2s_testvecs[] generated with the program below (using libb2-dev and
6486 ++ * libssl-dev [OpenSSL])
6487 ++ *
6488 ++ * #include <blake2.h>
6489 ++ * #include <stdint.h>
6490 ++ * #include <stdio.h>
6491 ++ *
6492 ++ * #include <openssl/evp.h>
6493 ++ *
6494 ++ * #define BLAKE2S_TESTVEC_COUNT 256
6495 ++ *
6496 ++ * static void print_vec(const uint8_t vec[], int len)
6497 ++ * {
6498 ++ * int i;
6499 ++ *
6500 ++ * printf(" { ");
6501 ++ * for (i = 0; i < len; i++) {
6502 ++ * if (i && (i % 12) == 0)
6503 ++ * printf("\n ");
6504 ++ * printf("0x%02x, ", vec[i]);
6505 ++ * }
6506 ++ * printf("},\n");
6507 ++ * }
6508 ++ *
6509 ++ * int main(void)
6510 ++ * {
6511 ++ * uint8_t key[BLAKE2S_KEYBYTES];
6512 ++ * uint8_t buf[BLAKE2S_TESTVEC_COUNT];
6513 ++ * uint8_t hash[BLAKE2S_OUTBYTES];
6514 ++ * int i, j;
6515 ++ *
6516 ++ * key[0] = key[1] = 1;
6517 ++ * for (i = 2; i < BLAKE2S_KEYBYTES; ++i)
6518 ++ * key[i] = key[i - 2] + key[i - 1];
6519 ++ *
6520 ++ * for (i = 0; i < BLAKE2S_TESTVEC_COUNT; ++i)
6521 ++ * buf[i] = (uint8_t)i;
6522 ++ *
6523 ++ * printf("static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n");
6524 ++ *
6525 ++ * for (i = 0; i < BLAKE2S_TESTVEC_COUNT; ++i) {
6526 ++ * int outlen = 1 + i % BLAKE2S_OUTBYTES;
6527 ++ * int keylen = (13 * i) % (BLAKE2S_KEYBYTES + 1);
6528 ++ *
6529 ++ * blake2s(hash, buf, key + BLAKE2S_KEYBYTES - keylen, outlen, i,
6530 ++ * keylen);
6531 ++ * print_vec(hash, outlen);
6532 ++ * }
6533 ++ * printf("};\n\n");
6534 ++ *
6535 ++ * return 0;
6536 ++ *}
6537 ++ */
6538 ++static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
6539 ++ { 0xa1, },
6540 ++ { 0x7c, 0x89, },
6541 ++ { 0x74, 0x0e, 0xd4, },
6542 ++ { 0x47, 0x0c, 0x21, 0x15, },
6543 ++ { 0x18, 0xd6, 0x9c, 0xa6, 0xc4, },
6544 ++ { 0x13, 0x5d, 0x16, 0x63, 0x2e, 0xf9, },
6545 ++ { 0x2c, 0xb5, 0x04, 0xb7, 0x99, 0xe2, 0x73, },
6546 ++ { 0x9a, 0x0f, 0xd2, 0x39, 0xd6, 0x68, 0x1b, 0x92, },
6547 ++ { 0xc8, 0xde, 0x7a, 0xea, 0x2f, 0xf4, 0xd2, 0xe3, 0x2b, },
6548 ++ { 0x5b, 0xf9, 0x43, 0x52, 0x0c, 0x12, 0xba, 0xb5, 0x93, 0x9f, },
6549 ++ { 0xc6, 0x2c, 0x4e, 0x80, 0xfc, 0x32, 0x5b, 0x33, 0xb8, 0xb8, 0x0a, },
6550 ++ { 0xa7, 0x5c, 0xfd, 0x3a, 0xcc, 0xbf, 0x90, 0xca, 0xb7, 0x97, 0xde, 0xd8, },
6551 ++ { 0x66, 0xca, 0x3c, 0xc4, 0x19, 0xef, 0x92, 0x66, 0x3f, 0x21, 0x8f, 0xda,
6552 ++ 0xb7, },
6553 ++ { 0xba, 0xe5, 0xbb, 0x30, 0x25, 0x94, 0x6d, 0xc3, 0x89, 0x09, 0xc4, 0x25,
6554 ++ 0x52, 0x3e, },
6555 ++ { 0xa2, 0xef, 0x0e, 0x52, 0x0b, 0x5f, 0xa2, 0x01, 0x6d, 0x0a, 0x25, 0xbc,
6556 ++ 0x57, 0xe2, 0x27, },
6557 ++ { 0x4f, 0xe0, 0xf9, 0x52, 0x12, 0xda, 0x84, 0xb7, 0xab, 0xae, 0xb0, 0xa6,
6558 ++ 0x47, 0x2a, 0xc7, 0xf5, },
6559 ++ { 0x56, 0xe7, 0xa8, 0x1c, 0x4c, 0xca, 0xed, 0x90, 0x31, 0xec, 0x87, 0x43,
6560 ++ 0xe7, 0x72, 0x08, 0xec, 0xbe, },
6561 ++ { 0x7e, 0xdf, 0x80, 0x1c, 0x93, 0x33, 0xfd, 0x53, 0x44, 0xba, 0xfd, 0x96,
6562 ++ 0xe1, 0xbb, 0xb5, 0x65, 0xa5, 0x00, },
6563 ++ { 0xec, 0x6b, 0xed, 0xf7, 0x7b, 0x62, 0x1d, 0x7d, 0xf4, 0x82, 0xf3, 0x1e,
6564 ++ 0x18, 0xff, 0x2b, 0xc4, 0x06, 0x20, 0x2a, },
6565 ++ { 0x74, 0x98, 0xd7, 0x68, 0x63, 0xed, 0x87, 0xe4, 0x5d, 0x8d, 0x9e, 0x1d,
6566 ++ 0xfd, 0x2a, 0xbb, 0x86, 0xac, 0xe9, 0x2a, 0x89, },
6567 ++ { 0x89, 0xc3, 0x88, 0xce, 0x2b, 0x33, 0x1e, 0x10, 0xd1, 0x37, 0x20, 0x86,
6568 ++ 0x28, 0x43, 0x70, 0xd9, 0xfb, 0x96, 0xd9, 0xb5, 0xd3, },
6569 ++ { 0xcb, 0x56, 0x74, 0x41, 0x8d, 0x80, 0x01, 0x9a, 0x6b, 0x38, 0xe1, 0x41,
6570 ++ 0xad, 0x9c, 0x62, 0x74, 0xce, 0x35, 0xd5, 0x6c, 0x89, 0x6e, },
6571 ++ { 0x79, 0xaf, 0x94, 0x59, 0x99, 0x26, 0xe1, 0xc9, 0x34, 0xfe, 0x7c, 0x22,
6572 ++ 0xf7, 0x43, 0xd7, 0x65, 0xd4, 0x48, 0x18, 0xac, 0x3d, 0xfd, 0x93, },
6573 ++ { 0x85, 0x0d, 0xff, 0xb8, 0x3e, 0x87, 0x41, 0xb0, 0x95, 0xd3, 0x3d, 0x00,
6574 ++ 0x47, 0x55, 0x9e, 0xd2, 0x69, 0xea, 0xbf, 0xe9, 0x7a, 0x2d, 0x61, 0x45, },
6575 ++ { 0x03, 0xe0, 0x85, 0xec, 0x54, 0xb5, 0x16, 0x53, 0xa8, 0xc4, 0x71, 0xe9,
6576 ++ 0x6a, 0xe7, 0xcb, 0xc4, 0x15, 0x02, 0xfc, 0x34, 0xa4, 0xa4, 0x28, 0x13,
6577 ++ 0xd1, },
6578 ++ { 0xe3, 0x34, 0x4b, 0xe1, 0xd0, 0x4b, 0x55, 0x61, 0x8f, 0xc0, 0x24, 0x05,
6579 ++ 0xe6, 0xe0, 0x3d, 0x70, 0x24, 0x4d, 0xda, 0xb8, 0x91, 0x05, 0x29, 0x07,
6580 ++ 0x01, 0x3e, },
6581 ++ { 0x61, 0xff, 0x01, 0x72, 0xb1, 0x4d, 0xf6, 0xfe, 0xd1, 0xd1, 0x08, 0x74,
6582 ++ 0xe6, 0x91, 0x44, 0xeb, 0x61, 0xda, 0x40, 0xaf, 0xfc, 0x8c, 0x91, 0x6b,
6583 ++ 0xec, 0x13, 0xed, },
6584 ++ { 0xd4, 0x40, 0xd2, 0xa0, 0x7f, 0xc1, 0x58, 0x0c, 0x85, 0xa0, 0x86, 0xc7,
6585 ++ 0x86, 0xb9, 0x61, 0xc9, 0xea, 0x19, 0x86, 0x1f, 0xab, 0x07, 0xce, 0x37,
6586 ++ 0x72, 0x67, 0x09, 0xfc, },
6587 ++ { 0x9e, 0xf8, 0x18, 0x67, 0x93, 0x10, 0x9b, 0x39, 0x75, 0xe8, 0x8b, 0x38,
6588 ++ 0x82, 0x7d, 0xb8, 0xb7, 0xa5, 0xaf, 0xe6, 0x6a, 0x22, 0x5e, 0x1f, 0x9c,
6589 ++ 0x95, 0x29, 0x19, 0xf2, 0x4b, },
6590 ++ { 0xc8, 0x62, 0x25, 0xf5, 0x98, 0xc9, 0xea, 0xe5, 0x29, 0x3a, 0xd3, 0x22,
6591 ++ 0xeb, 0xeb, 0x07, 0x7c, 0x15, 0x07, 0xee, 0x15, 0x61, 0xbb, 0x05, 0x30,
6592 ++ 0x99, 0x7f, 0x11, 0xf6, 0x0a, 0x1d, },
6593 ++ { 0x68, 0x70, 0xf7, 0x90, 0xa1, 0x8b, 0x1f, 0x0f, 0xbb, 0xce, 0xd2, 0x0e,
6594 ++ 0x33, 0x1f, 0x7f, 0xa9, 0x78, 0xa8, 0xa6, 0x81, 0x66, 0xab, 0x8d, 0xcd,
6595 ++ 0x58, 0x55, 0x3a, 0x0b, 0x7a, 0xdb, 0xb5, },
6596 ++ { 0xdd, 0x35, 0xd2, 0xb4, 0xf6, 0xc7, 0xea, 0xab, 0x64, 0x24, 0x4e, 0xfe,
6597 ++ 0xe5, 0x3d, 0x4e, 0x95, 0x8b, 0x6d, 0x6c, 0xbc, 0xb0, 0xf8, 0x88, 0x61,
6598 ++ 0x09, 0xb7, 0x78, 0xa3, 0x31, 0xfe, 0xd9, 0x2f, },
6599 ++ { 0x0a, },
6600 ++ { 0x6e, 0xd4, },
6601 ++ { 0x64, 0xe9, 0xd1, },
6602 ++ { 0x30, 0xdd, 0x71, 0xef, },
6603 ++ { 0x11, 0xb5, 0x0c, 0x87, 0xc9, },
6604 ++ { 0x06, 0x1c, 0x6d, 0x04, 0x82, 0xd0, },
6605 ++ { 0x5c, 0x42, 0x0b, 0xee, 0xc5, 0x9c, 0xb2, },
6606 ++ { 0xe8, 0x29, 0xd6, 0xb4, 0x5d, 0xf7, 0x2b, 0x93, },
6607 ++ { 0x18, 0xca, 0x27, 0x72, 0x43, 0x39, 0x16, 0xbc, 0x6a, },
6608 ++ { 0x39, 0x8f, 0xfd, 0x64, 0xf5, 0x57, 0x23, 0xb0, 0x45, 0xf8, },
6609 ++ { 0xbb, 0x3a, 0x78, 0x6b, 0x02, 0x1d, 0x0b, 0x16, 0xe3, 0xb2, 0x9a, },
6610 ++ { 0xb8, 0xb4, 0x0b, 0xe5, 0xd4, 0x1d, 0x0d, 0x85, 0x49, 0x91, 0x35, 0xfa, },
6611 ++ { 0x6d, 0x48, 0x2a, 0x0c, 0x42, 0x08, 0xbd, 0xa9, 0x78, 0x6f, 0x18, 0xaf,
6612 ++ 0xe2, },
6613 ++ { 0x10, 0x45, 0xd4, 0x58, 0x88, 0xec, 0x4e, 0x1e, 0xf6, 0x14, 0x92, 0x64,
6614 ++ 0x7e, 0xb0, },
6615 ++ { 0x8b, 0x0b, 0x95, 0xee, 0x92, 0xc6, 0x3b, 0x91, 0xf1, 0x1e, 0xeb, 0x51,
6616 ++ 0x98, 0x0a, 0x8d, },
6617 ++ { 0xa3, 0x50, 0x4d, 0xa5, 0x1d, 0x03, 0x68, 0xe9, 0x57, 0x78, 0xd6, 0x04,
6618 ++ 0xf1, 0xc3, 0x94, 0xd8, },
6619 ++ { 0xb8, 0x66, 0x6e, 0xdd, 0x46, 0x15, 0xae, 0x3d, 0x83, 0x7e, 0xcf, 0xe7,
6620 ++ 0x2c, 0xe8, 0x8f, 0xc7, 0x34, },
6621 ++ { 0x2e, 0xc0, 0x1f, 0x29, 0xea, 0xf6, 0xb9, 0xe2, 0xc2, 0x93, 0xeb, 0x41,
6622 ++ 0x0d, 0xf0, 0x0a, 0x13, 0x0e, 0xa2, },
6623 ++ { 0x71, 0xb8, 0x33, 0xa9, 0x1b, 0xac, 0xf1, 0xb5, 0x42, 0x8f, 0x5e, 0x81,
6624 ++ 0x34, 0x43, 0xb7, 0xa4, 0x18, 0x5c, 0x47, },
6625 ++ { 0xda, 0x45, 0xb8, 0x2e, 0x82, 0x1e, 0xc0, 0x59, 0x77, 0x9d, 0xfa, 0xb4,
6626 ++ 0x1c, 0x5e, 0xa0, 0x2b, 0x33, 0x96, 0x5a, 0x58, },
6627 ++ { 0xe3, 0x09, 0x05, 0xa9, 0xeb, 0x48, 0x13, 0xad, 0x71, 0x88, 0x81, 0x9a,
6628 ++ 0x3e, 0x2c, 0xe1, 0x23, 0x99, 0x13, 0x35, 0x9f, 0xb5, },
6629 ++ { 0xb7, 0x86, 0x2d, 0x16, 0xe1, 0x04, 0x00, 0x47, 0x47, 0x61, 0x31, 0xfb,
6630 ++ 0x14, 0xac, 0xd8, 0xe9, 0xe3, 0x49, 0xbd, 0xf7, 0x9c, 0x3f, },
6631 ++ { 0x7f, 0xd9, 0x95, 0xa8, 0xa7, 0xa0, 0xcc, 0xba, 0xef, 0xb1, 0x0a, 0xa9,
6632 ++ 0x21, 0x62, 0x08, 0x0f, 0x1b, 0xff, 0x7b, 0x9d, 0xae, 0xb2, 0x95, },
6633 ++ { 0x85, 0x99, 0xea, 0x33, 0xe0, 0x56, 0xff, 0x13, 0xc6, 0x61, 0x8c, 0xf9,
6634 ++ 0x57, 0x05, 0x03, 0x11, 0xf9, 0xfb, 0x3a, 0xf7, 0xce, 0xbb, 0x52, 0x30, },
6635 ++ { 0xb2, 0x72, 0x9c, 0xf8, 0x77, 0x4e, 0x8f, 0x6b, 0x01, 0x6c, 0xff, 0x4e,
6636 ++ 0x4f, 0x02, 0xd2, 0xbc, 0xeb, 0x51, 0x28, 0x99, 0x50, 0xab, 0xc4, 0x42,
6637 ++ 0xe3, },
6638 ++ { 0x8b, 0x0a, 0xb5, 0x90, 0x8f, 0xf5, 0x7b, 0xdd, 0xba, 0x47, 0x37, 0xc9,
6639 ++ 0x2a, 0xd5, 0x4b, 0x25, 0x08, 0x8b, 0x02, 0x17, 0xa7, 0x9e, 0x6b, 0x6e,
6640 ++ 0xe3, 0x90, },
6641 ++ { 0x90, 0xdd, 0xf7, 0x75, 0xa7, 0xa3, 0x99, 0x5e, 0x5b, 0x7d, 0x75, 0xc3,
6642 ++ 0x39, 0x6b, 0xa0, 0xe2, 0x44, 0x53, 0xb1, 0x9e, 0xc8, 0xf1, 0x77, 0x10,
6643 ++ 0x58, 0x06, 0x9a, },
6644 ++ { 0x99, 0x52, 0xf0, 0x49, 0xa8, 0x8c, 0xec, 0xa6, 0x97, 0x32, 0x13, 0xb5,
6645 ++ 0xf7, 0xa3, 0x8e, 0xfb, 0x4b, 0x59, 0x31, 0x3d, 0x01, 0x59, 0x98, 0x5d,
6646 ++ 0x53, 0x03, 0x1a, 0x39, },
6647 ++ { 0x9f, 0xe0, 0xc2, 0xe5, 0x5d, 0x93, 0xd6, 0x9b, 0x47, 0x8f, 0x9b, 0xe0,
6648 ++ 0x26, 0x35, 0x84, 0x20, 0x1d, 0xc5, 0x53, 0x10, 0x0f, 0x22, 0xb9, 0xb5,
6649 ++ 0xd4, 0x36, 0xb1, 0xac, 0x73, },
6650 ++ { 0x30, 0x32, 0x20, 0x3b, 0x10, 0x28, 0xec, 0x1f, 0x4f, 0x9b, 0x47, 0x59,
6651 ++ 0xeb, 0x7b, 0xee, 0x45, 0xfb, 0x0c, 0x49, 0xd8, 0x3d, 0x69, 0xbd, 0x90,
6652 ++ 0x2c, 0xf0, 0x9e, 0x8d, 0xbf, 0xd5, },
6653 ++ { 0x2a, 0x37, 0x73, 0x7f, 0xf9, 0x96, 0x19, 0xaa, 0x25, 0xd8, 0x13, 0x28,
6654 ++ 0x01, 0x29, 0x89, 0xdf, 0x6e, 0x0c, 0x9b, 0x43, 0x44, 0x51, 0xe9, 0x75,
6655 ++ 0x26, 0x0c, 0xb7, 0x87, 0x66, 0x0b, 0x5f, },
6656 ++ { 0x23, 0xdf, 0x96, 0x68, 0x91, 0x86, 0xd0, 0x93, 0x55, 0x33, 0x24, 0xf6,
6657 ++ 0xba, 0x08, 0x75, 0x5b, 0x59, 0x11, 0x69, 0xb8, 0xb9, 0xe5, 0x2c, 0x77,
6658 ++ 0x02, 0xf6, 0x47, 0xee, 0x81, 0xdd, 0xb9, 0x06, },
6659 ++ { 0x9d, },
6660 ++ { 0x9d, 0x7d, },
6661 ++ { 0xfd, 0xc3, 0xda, },
6662 ++ { 0xe8, 0x82, 0xcd, 0x21, },
6663 ++ { 0xc3, 0x1d, 0x42, 0x4c, 0x74, },
6664 ++ { 0xe9, 0xda, 0xf1, 0xa2, 0xe5, 0x7c, },
6665 ++ { 0x52, 0xb8, 0x6f, 0x81, 0x5c, 0x3a, 0x4c, },
6666 ++ { 0x5b, 0x39, 0x26, 0xfc, 0x92, 0x5e, 0xe0, 0x49, },
6667 ++ { 0x59, 0xe4, 0x7c, 0x93, 0x1c, 0xf9, 0x28, 0x93, 0xde, },
6668 ++ { 0xde, 0xdf, 0xb2, 0x43, 0x61, 0x0b, 0x86, 0x16, 0x4c, 0x2e, },
6669 ++ { 0x14, 0x8f, 0x75, 0x51, 0xaf, 0xb9, 0xee, 0x51, 0x5a, 0xae, 0x23, },
6670 ++ { 0x43, 0x5f, 0x50, 0xd5, 0x70, 0xb0, 0x5b, 0x87, 0xf5, 0xd9, 0xb3, 0x6d, },
6671 ++ { 0x66, 0x0a, 0x64, 0x93, 0x79, 0x71, 0x94, 0x40, 0xb7, 0x68, 0x2d, 0xd3,
6672 ++ 0x63, },
6673 ++ { 0x15, 0x00, 0xc4, 0x0c, 0x7d, 0x1b, 0x10, 0xa9, 0x73, 0x1b, 0x90, 0x6f,
6674 ++ 0xe6, 0xa9, },
6675 ++ { 0x34, 0x75, 0xf3, 0x86, 0x8f, 0x56, 0xcf, 0x2a, 0x0a, 0xf2, 0x62, 0x0a,
6676 ++ 0xf6, 0x0e, 0x20, },
6677 ++ { 0xb1, 0xde, 0xc9, 0xf5, 0xdb, 0xf3, 0x2f, 0x4c, 0xd6, 0x41, 0x7d, 0x39,
6678 ++ 0x18, 0x3e, 0xc7, 0xc3, },
6679 ++ { 0xc5, 0x89, 0xb2, 0xf8, 0xb8, 0xc0, 0xa3, 0xb9, 0x3b, 0x10, 0x6d, 0x7c,
6680 ++ 0x92, 0xfc, 0x7f, 0x34, 0x41, },
6681 ++ { 0xc4, 0xd8, 0xef, 0xba, 0xef, 0xd2, 0xaa, 0xc5, 0x6c, 0x8e, 0x3e, 0xbb,
6682 ++ 0x12, 0xfc, 0x0f, 0x72, 0xbf, 0x0f, },
6683 ++ { 0xdd, 0x91, 0xd1, 0x15, 0x9e, 0x7d, 0xf8, 0xc1, 0xb9, 0x14, 0x63, 0x96,
6684 ++ 0xb5, 0xcb, 0x83, 0x1d, 0x35, 0x1c, 0xec, },
6685 ++ { 0xa9, 0xf8, 0x52, 0xc9, 0x67, 0x76, 0x2b, 0xad, 0xfb, 0xd8, 0x3a, 0xa6,
6686 ++ 0x74, 0x02, 0xae, 0xb8, 0x25, 0x2c, 0x63, 0x49, },
6687 ++ { 0x77, 0x1f, 0x66, 0x70, 0xfd, 0x50, 0x29, 0xaa, 0xeb, 0xdc, 0xee, 0xba,
6688 ++ 0x75, 0x98, 0xdc, 0x93, 0x12, 0x3f, 0xdc, 0x7c, 0x38, },
6689 ++ { 0xe2, 0xe1, 0x89, 0x5c, 0x37, 0x38, 0x6a, 0xa3, 0x40, 0xac, 0x3f, 0xb0,
6690 ++ 0xca, 0xfc, 0xa7, 0xf3, 0xea, 0xf9, 0x0f, 0x5d, 0x8e, 0x39, },
6691 ++ { 0x0f, 0x67, 0xc8, 0x38, 0x01, 0xb1, 0xb7, 0xb8, 0xa2, 0xe7, 0x0a, 0x6d,
6692 ++ 0xd2, 0x63, 0x69, 0x9e, 0xcc, 0xf0, 0xf2, 0xbe, 0x9b, 0x98, 0xdd, },
6693 ++ { 0x13, 0xe1, 0x36, 0x30, 0xfe, 0xc6, 0x01, 0x8a, 0xa1, 0x63, 0x96, 0x59,
6694 ++ 0xc2, 0xa9, 0x68, 0x3f, 0x58, 0xd4, 0x19, 0x0c, 0x40, 0xf3, 0xde, 0x02, },
6695 ++ { 0xa3, 0x9e, 0xce, 0xda, 0x42, 0xee, 0x8c, 0x6c, 0x5a, 0x7d, 0xdc, 0x89,
6696 ++ 0x02, 0x77, 0xdd, 0xe7, 0x95, 0xbb, 0xff, 0x0d, 0xa4, 0xb5, 0x38, 0x1e,
6697 ++ 0xaf, },
6698 ++ { 0x9a, 0xf6, 0xb5, 0x9a, 0x4f, 0xa9, 0x4f, 0x2c, 0x35, 0x3c, 0x24, 0xdc,
6699 ++ 0x97, 0x6f, 0xd9, 0xa1, 0x7d, 0x1a, 0x85, 0x0b, 0xf5, 0xda, 0x2e, 0xe7,
6700 ++ 0xb1, 0x1d, },
6701 ++ { 0x84, 0x1e, 0x8e, 0x3d, 0x45, 0xa5, 0xf2, 0x27, 0xf3, 0x31, 0xfe, 0xb9,
6702 ++ 0xfb, 0xc5, 0x45, 0x99, 0x99, 0xdd, 0x93, 0x43, 0x02, 0xee, 0x58, 0xaf,
6703 ++ 0xee, 0x6a, 0xbe, },
6704 ++ { 0x07, 0x2f, 0xc0, 0xa2, 0x04, 0xc4, 0xab, 0x7c, 0x26, 0xbb, 0xa8, 0xd8,
6705 ++ 0xe3, 0x1c, 0x75, 0x15, 0x64, 0x5d, 0x02, 0x6a, 0xf0, 0x86, 0xe9, 0xcd,
6706 ++ 0x5c, 0xef, 0xa3, 0x25, },
6707 ++ { 0x2f, 0x3b, 0x1f, 0xb5, 0x91, 0x8f, 0x86, 0xe0, 0xdc, 0x31, 0x48, 0xb6,
6708 ++ 0xa1, 0x8c, 0xfd, 0x75, 0xbb, 0x7d, 0x3d, 0xc1, 0xf0, 0x10, 0x9a, 0xd8,
6709 ++ 0x4b, 0x0e, 0xe3, 0x94, 0x9f, },
6710 ++ { 0x29, 0xbb, 0x8f, 0x6c, 0xd1, 0xf2, 0xb6, 0xaf, 0xe5, 0xe3, 0x2d, 0xdc,
6711 ++ 0x6f, 0xa4, 0x53, 0x88, 0xd8, 0xcf, 0x4d, 0x45, 0x42, 0x62, 0xdb, 0xdf,
6712 ++ 0xf8, 0x45, 0xc2, 0x13, 0xec, 0x35, },
6713 ++ { 0x06, 0x3c, 0xe3, 0x2c, 0x15, 0xc6, 0x43, 0x03, 0x81, 0xfb, 0x08, 0x76,
6714 ++ 0x33, 0xcb, 0x02, 0xc1, 0xba, 0x33, 0xe5, 0xe0, 0xd1, 0x92, 0xa8, 0x46,
6715 ++ 0x28, 0x3f, 0x3e, 0x9d, 0x2c, 0x44, 0x54, },
6716 ++ { 0xea, 0xbb, 0x96, 0xf8, 0xd1, 0x8b, 0x04, 0x11, 0x40, 0x78, 0x42, 0x02,
6717 ++ 0x19, 0xd1, 0xbc, 0x65, 0x92, 0xd3, 0xc3, 0xd6, 0xd9, 0x19, 0xe7, 0xc3,
6718 ++ 0x40, 0x97, 0xbd, 0xd4, 0xed, 0xfa, 0x5e, 0x28, },
6719 ++ { 0x02, },
6720 ++ { 0x52, 0xa8, },
6721 ++ { 0x38, 0x25, 0x0d, },
6722 ++ { 0xe3, 0x04, 0xd4, 0x92, },
6723 ++ { 0x97, 0xdb, 0xf7, 0x81, 0xca, },
6724 ++ { 0x8a, 0x56, 0x9d, 0x62, 0x56, 0xcc, },
6725 ++ { 0xa1, 0x8e, 0x3c, 0x72, 0x8f, 0x63, 0x03, },
6726 ++ { 0xf7, 0xf3, 0x39, 0x09, 0x0a, 0xa1, 0xbb, 0x23, },
6727 ++ { 0x6b, 0x03, 0xc0, 0xe9, 0xd9, 0x83, 0x05, 0x22, 0x01, },
6728 ++ { 0x1b, 0x4b, 0xf5, 0xd6, 0x4f, 0x05, 0x75, 0x91, 0x4c, 0x7f, },
6729 ++ { 0x4c, 0x8c, 0x25, 0x20, 0x21, 0xcb, 0xc2, 0x4b, 0x3a, 0x5b, 0x8d, },
6730 ++ { 0x56, 0xe2, 0x77, 0xa0, 0xb6, 0x9f, 0x81, 0xec, 0x83, 0x75, 0xc4, 0xf9, },
6731 ++ { 0x71, 0x70, 0x0f, 0xad, 0x4d, 0x35, 0x81, 0x9d, 0x88, 0x69, 0xf9, 0xaa,
6732 ++ 0xd3, },
6733 ++ { 0x50, 0x6e, 0x86, 0x6e, 0x43, 0xc0, 0xc2, 0x44, 0xc2, 0xe2, 0xa0, 0x1c,
6734 ++ 0xb7, 0x9a, },
6735 ++ { 0xe4, 0x7e, 0x72, 0xc6, 0x12, 0x8e, 0x7c, 0xfc, 0xbd, 0xe2, 0x08, 0x31,
6736 ++ 0x3d, 0x47, 0x3d, },
6737 ++ { 0x08, 0x97, 0x5b, 0x80, 0xae, 0xc4, 0x1d, 0x50, 0x77, 0xdf, 0x1f, 0xd0,
6738 ++ 0x24, 0xf0, 0x17, 0xc0, },
6739 ++ { 0x01, 0xb6, 0x29, 0xf4, 0xaf, 0x78, 0x5f, 0xb6, 0x91, 0xdd, 0x76, 0x76,
6740 ++ 0xd2, 0xfd, 0x0c, 0x47, 0x40, },
6741 ++ { 0xa1, 0xd8, 0x09, 0x97, 0x7a, 0xa6, 0xc8, 0x94, 0xf6, 0x91, 0x7b, 0xae,
6742 ++ 0x2b, 0x9f, 0x0d, 0x83, 0x48, 0xf7, },
6743 ++ { 0x12, 0xd5, 0x53, 0x7d, 0x9a, 0xb0, 0xbe, 0xd9, 0xed, 0xe9, 0x9e, 0xee,
6744 ++ 0x61, 0x5b, 0x42, 0xf2, 0xc0, 0x73, 0xc0, },
6745 ++ { 0xd5, 0x77, 0xd6, 0x5c, 0x6e, 0xa5, 0x69, 0x2b, 0x3b, 0x8c, 0xd6, 0x7d,
6746 ++ 0x1d, 0xbe, 0x2c, 0xa1, 0x02, 0x21, 0xcd, 0x29, },
6747 ++ { 0xa4, 0x98, 0x80, 0xca, 0x22, 0xcf, 0x6a, 0xab, 0x5e, 0x40, 0x0d, 0x61,
6748 ++ 0x08, 0x21, 0xef, 0xc0, 0x6c, 0x52, 0xb4, 0xb0, 0x53, },
6749 ++ { 0xbf, 0xaf, 0x8f, 0x3b, 0x7a, 0x97, 0x33, 0xe5, 0xca, 0x07, 0x37, 0xfd,
6750 ++ 0x15, 0xdf, 0xce, 0x26, 0x2a, 0xb1, 0xa7, 0x0b, 0xb3, 0xac, },
6751 ++ { 0x16, 0x22, 0xe1, 0xbc, 0x99, 0x4e, 0x01, 0xf0, 0xfa, 0xff, 0x8f, 0xa5,
6752 ++ 0x0c, 0x61, 0xb0, 0xad, 0xcc, 0xb1, 0xe1, 0x21, 0x46, 0xfa, 0x2e, },
6753 ++ { 0x11, 0x5b, 0x0b, 0x2b, 0xe6, 0x14, 0xc1, 0xd5, 0x4d, 0x71, 0x5e, 0x17,
6754 ++ 0xea, 0x23, 0xdd, 0x6c, 0xbd, 0x1d, 0xbe, 0x12, 0x1b, 0xee, 0x4c, 0x1a, },
6755 ++ { 0x40, 0x88, 0x22, 0xf3, 0x20, 0x6c, 0xed, 0xe1, 0x36, 0x34, 0x62, 0x2c,
6756 ++ 0x98, 0x83, 0x52, 0xe2, 0x25, 0xee, 0xe9, 0xf5, 0xe1, 0x17, 0xf0, 0x5c,
6757 ++ 0xae, },
6758 ++ { 0xc3, 0x76, 0x37, 0xde, 0x95, 0x8c, 0xca, 0x2b, 0x0c, 0x23, 0xe7, 0xb5,
6759 ++ 0x38, 0x70, 0x61, 0xcc, 0xff, 0xd3, 0x95, 0x7b, 0xf3, 0xff, 0x1f, 0x9d,
6760 ++ 0x59, 0x00, },
6761 ++ { 0x0c, 0x19, 0x52, 0x05, 0x22, 0x53, 0xcb, 0x48, 0xd7, 0x10, 0x0e, 0x7e,
6762 ++ 0x14, 0x69, 0xb5, 0xa2, 0x92, 0x43, 0xa3, 0x9e, 0x4b, 0x8f, 0x51, 0x2c,
6763 ++ 0x5a, 0x2c, 0x3b, },
6764 ++ { 0xe1, 0x9d, 0x70, 0x70, 0x28, 0xec, 0x86, 0x40, 0x55, 0x33, 0x56, 0xda,
6765 ++ 0x88, 0xca, 0xee, 0xc8, 0x6a, 0x20, 0xb1, 0xe5, 0x3d, 0x57, 0xf8, 0x3c,
6766 ++ 0x10, 0x07, 0x2a, 0xc4, },
6767 ++ { 0x0b, 0xae, 0xf1, 0xc4, 0x79, 0xee, 0x1b, 0x3d, 0x27, 0x35, 0x8d, 0x14,
6768 ++ 0xd6, 0xae, 0x4e, 0x3c, 0xe9, 0x53, 0x50, 0xb5, 0xcc, 0x0c, 0xf7, 0xdf,
6769 ++ 0xee, 0xa1, 0x74, 0xd6, 0x71, },
6770 ++ { 0xe6, 0xa4, 0xf4, 0x99, 0x98, 0xb9, 0x80, 0xea, 0x96, 0x7f, 0x4f, 0x33,
6771 ++ 0xcf, 0x74, 0x25, 0x6f, 0x17, 0x6c, 0xbf, 0xf5, 0x5c, 0x38, 0xd0, 0xff,
6772 ++ 0x96, 0xcb, 0x13, 0xf9, 0xdf, 0xfd, },
6773 ++ { 0xbe, 0x92, 0xeb, 0xba, 0x44, 0x2c, 0x24, 0x74, 0xd4, 0x03, 0x27, 0x3c,
6774 ++ 0x5d, 0x5b, 0x03, 0x30, 0x87, 0x63, 0x69, 0xe0, 0xb8, 0x94, 0xf4, 0x44,
6775 ++ 0x7e, 0xad, 0xcd, 0x20, 0x12, 0x16, 0x79, },
6776 ++ { 0x30, 0xf1, 0xc4, 0x8e, 0x05, 0x90, 0x2a, 0x97, 0x63, 0x94, 0x46, 0xff,
6777 ++ 0xce, 0xd8, 0x67, 0xa7, 0xac, 0x33, 0x8c, 0x95, 0xb7, 0xcd, 0xa3, 0x23,
6778 ++ 0x98, 0x9d, 0x76, 0x6c, 0x9d, 0xa8, 0xd6, 0x8a, },
6779 ++ { 0xbe, },
6780 ++ { 0x17, 0x6c, },
6781 ++ { 0x1a, 0x42, 0x4f, },
6782 ++ { 0xba, 0xaf, 0xb7, 0x65, },
6783 ++ { 0xc2, 0x63, 0x43, 0x6a, 0xea, },
6784 ++ { 0xe4, 0x4d, 0xad, 0xf2, 0x0b, 0x02, },
6785 ++ { 0x04, 0xc7, 0xc4, 0x7f, 0xa9, 0x2b, 0xce, },
6786 ++ { 0x66, 0xf6, 0x67, 0xcb, 0x03, 0x53, 0xc8, 0xf1, },
6787 ++ { 0x56, 0xa3, 0x60, 0x78, 0xc9, 0x5f, 0x70, 0x1b, 0x5e, },
6788 ++ { 0x99, 0xff, 0x81, 0x7c, 0x13, 0x3c, 0x29, 0x79, 0x4b, 0x65, },
6789 ++ { 0x51, 0x10, 0x50, 0x93, 0x01, 0x93, 0xb7, 0x01, 0xc9, 0x18, 0xb7, },
6790 ++ { 0x8e, 0x3c, 0x42, 0x1e, 0x5e, 0x7d, 0xc1, 0x50, 0x70, 0x1f, 0x00, 0x98, },
6791 ++ { 0x5f, 0xd9, 0x9b, 0xc8, 0xd7, 0xb2, 0x72, 0x62, 0x1a, 0x1e, 0xba, 0x92,
6792 ++ 0xe9, },
6793 ++ { 0x70, 0x2b, 0xba, 0xfe, 0xad, 0x5d, 0x96, 0x3f, 0x27, 0xc2, 0x41, 0x6d,
6794 ++ 0xc4, 0xb3, },
6795 ++ { 0xae, 0xe0, 0xd5, 0xd4, 0xc7, 0xae, 0x15, 0x5e, 0xdc, 0xdd, 0x33, 0x60,
6796 ++ 0xd7, 0xd3, 0x5e, },
6797 ++ { 0x79, 0x8e, 0xbc, 0x9e, 0x20, 0xb9, 0x19, 0x4b, 0x63, 0x80, 0xf3, 0x16,
6798 ++ 0xaf, 0x39, 0xbd, 0x92, },
6799 ++ { 0xc2, 0x0e, 0x85, 0xa0, 0x0b, 0x9a, 0xb0, 0xec, 0xde, 0x38, 0xd3, 0x10,
6800 ++ 0xd9, 0xa7, 0x66, 0x27, 0xcf, },
6801 ++ { 0x0e, 0x3b, 0x75, 0x80, 0x67, 0x14, 0x0c, 0x02, 0x90, 0xd6, 0xb3, 0x02,
6802 ++ 0x81, 0xf6, 0xa6, 0x87, 0xce, 0x58, },
6803 ++ { 0x79, 0xb5, 0xe9, 0x5d, 0x52, 0x4d, 0xf7, 0x59, 0xf4, 0x2e, 0x27, 0xdd,
6804 ++ 0xb3, 0xed, 0x57, 0x5b, 0x82, 0xea, 0x6f, },
6805 ++ { 0xa2, 0x97, 0xf5, 0x80, 0x02, 0x3d, 0xde, 0xa3, 0xf9, 0xf6, 0xab, 0xe3,
6806 ++ 0x57, 0x63, 0x7b, 0x9b, 0x10, 0x42, 0x6f, 0xf2, },
6807 ++ { 0x12, 0x7a, 0xfc, 0xb7, 0x67, 0x06, 0x0c, 0x78, 0x1a, 0xfe, 0x88, 0x4f,
6808 ++ 0xc6, 0xac, 0x52, 0x96, 0x64, 0x28, 0x97, 0x84, 0x06, },
6809 ++ { 0xc5, 0x04, 0x44, 0x6b, 0xb2, 0xa5, 0xa4, 0x66, 0xe1, 0x76, 0xa2, 0x51,
6810 ++ 0xf9, 0x59, 0x69, 0x97, 0x56, 0x0b, 0xbf, 0x50, 0xb3, 0x34, },
6811 ++ { 0x21, 0x32, 0x6b, 0x42, 0xb5, 0xed, 0x71, 0x8d, 0xf7, 0x5a, 0x35, 0xe3,
6812 ++ 0x90, 0xe2, 0xee, 0xaa, 0x89, 0xf6, 0xc9, 0x9c, 0x4d, 0x73, 0xf4, },
6813 ++ { 0x4c, 0xa6, 0x09, 0xf4, 0x48, 0xe7, 0x46, 0xbc, 0x49, 0xfc, 0xe5, 0xda,
6814 ++ 0xd1, 0x87, 0x13, 0x17, 0x4c, 0x59, 0x71, 0x26, 0x5b, 0x2c, 0x42, 0xb7, },
6815 ++ { 0x13, 0x63, 0xf3, 0x40, 0x02, 0xe5, 0xa3, 0x3a, 0x5e, 0x8e, 0xf8, 0xb6,
6816 ++ 0x8a, 0x49, 0x60, 0x76, 0x34, 0x72, 0x94, 0x73, 0xf6, 0xd9, 0x21, 0x6a,
6817 ++ 0x26, },
6818 ++ { 0xdf, 0x75, 0x16, 0x10, 0x1b, 0x5e, 0x81, 0xc3, 0xc8, 0xde, 0x34, 0x24,
6819 ++ 0xb0, 0x98, 0xeb, 0x1b, 0x8f, 0xa1, 0x9b, 0x05, 0xee, 0xa5, 0xe9, 0x35,
6820 ++ 0xf4, 0x1d, },
6821 ++ { 0xcd, 0x21, 0x93, 0x6e, 0x5b, 0xa0, 0x26, 0x2b, 0x21, 0x0e, 0xa0, 0xb9,
6822 ++ 0x1c, 0xb5, 0xbb, 0xb8, 0xf8, 0x1e, 0xff, 0x5c, 0xa8, 0xf9, 0x39, 0x46,
6823 ++ 0x4e, 0x29, 0x26, },
6824 ++ { 0x73, 0x7f, 0x0e, 0x3b, 0x0b, 0x5c, 0xf9, 0x60, 0xaa, 0x88, 0xa1, 0x09,
6825 ++ 0xb1, 0x5d, 0x38, 0x7b, 0x86, 0x8f, 0x13, 0x7a, 0x8d, 0x72, 0x7a, 0x98,
6826 ++ 0x1a, 0x5b, 0xff, 0xc9, },
6827 ++ { 0xd3, 0x3c, 0x61, 0x71, 0x44, 0x7e, 0x31, 0x74, 0x98, 0x9d, 0x9a, 0xd2,
6828 ++ 0x27, 0xf3, 0x46, 0x43, 0x42, 0x51, 0xd0, 0x5f, 0xe9, 0x1c, 0x5c, 0x69,
6829 ++ 0xbf, 0xf6, 0xbe, 0x3c, 0x40, },
6830 ++ { 0x31, 0x99, 0x31, 0x9f, 0xaa, 0x43, 0x2e, 0x77, 0x3e, 0x74, 0x26, 0x31,
6831 ++ 0x5e, 0x61, 0xf1, 0x87, 0xe2, 0xeb, 0x9b, 0xcd, 0xd0, 0x3a, 0xee, 0x20,
6832 ++ 0x7e, 0x10, 0x0a, 0x0b, 0x7e, 0xfa, },
6833 ++ { 0xa4, 0x27, 0x80, 0x67, 0x81, 0x2a, 0xa7, 0x62, 0xf7, 0x6e, 0xda, 0xd4,
6834 ++ 0x5c, 0x39, 0x74, 0xad, 0x7e, 0xbe, 0xad, 0xa5, 0x84, 0x7f, 0xa9, 0x30,
6835 ++ 0x5d, 0xdb, 0xe2, 0x05, 0x43, 0xf7, 0x1b, },
6836 ++ { 0x0b, 0x37, 0xd8, 0x02, 0xe1, 0x83, 0xd6, 0x80, 0xf2, 0x35, 0xc2, 0xb0,
6837 ++ 0x37, 0xef, 0xef, 0x5e, 0x43, 0x93, 0xf0, 0x49, 0x45, 0x0a, 0xef, 0xb5,
6838 ++ 0x76, 0x70, 0x12, 0x44, 0xc4, 0xdb, 0xf5, 0x7a, },
6839 ++ { 0x1f, },
6840 ++ { 0x82, 0x60, },
6841 ++ { 0xcc, 0xe3, 0x08, },
6842 ++ { 0x56, 0x17, 0xe4, 0x59, },
6843 ++ { 0xe2, 0xd7, 0x9e, 0xc4, 0x4c, },
6844 ++ { 0xb2, 0xad, 0xd3, 0x78, 0x58, 0x5a, },
6845 ++ { 0xce, 0x43, 0xb4, 0x02, 0x96, 0xab, 0x3c, },
6846 ++ { 0xe6, 0x05, 0x1a, 0x73, 0x22, 0x32, 0xbb, 0x77, },
6847 ++ { 0x23, 0xe7, 0xda, 0xfe, 0x2c, 0xef, 0x8c, 0x22, 0xec, },
6848 ++ { 0xe9, 0x8e, 0x55, 0x38, 0xd1, 0xd7, 0x35, 0x23, 0x98, 0xc7, },
6849 ++ { 0xb5, 0x81, 0x1a, 0xe5, 0xb5, 0xa5, 0xd9, 0x4d, 0xca, 0x41, 0xe7, },
6850 ++ { 0x41, 0x16, 0x16, 0x95, 0x8d, 0x9e, 0x0c, 0xea, 0x8c, 0x71, 0x9a, 0xc1, },
6851 ++ { 0x7c, 0x33, 0xc0, 0xa4, 0x00, 0x62, 0xea, 0x60, 0x67, 0xe4, 0x20, 0xbc,
6852 ++ 0x5b, },
6853 ++ { 0xdb, 0xb1, 0xdc, 0xfd, 0x08, 0xc0, 0xde, 0x82, 0xd1, 0xde, 0x38, 0xc0,
6854 ++ 0x90, 0x48, },
6855 ++ { 0x37, 0x18, 0x2e, 0x0d, 0x61, 0xaa, 0x61, 0xd7, 0x86, 0x20, 0x16, 0x60,
6856 ++ 0x04, 0xd9, 0xd5, },
6857 ++ { 0xb0, 0xcf, 0x2c, 0x4c, 0x5e, 0x5b, 0x4f, 0x2a, 0x23, 0x25, 0x58, 0x47,
6858 ++ 0xe5, 0x31, 0x06, 0x70, },
6859 ++ { 0x91, 0xa0, 0xa3, 0x86, 0x4e, 0xe0, 0x72, 0x38, 0x06, 0x67, 0x59, 0x5c,
6860 ++ 0x70, 0x25, 0xdb, 0x33, 0x27, },
6861 ++ { 0x44, 0x58, 0x66, 0xb8, 0x58, 0xc7, 0x13, 0xed, 0x4c, 0xc0, 0xf4, 0x9a,
6862 ++ 0x1e, 0x67, 0x75, 0x33, 0xb6, 0xb8, },
6863 ++ { 0x7f, 0x98, 0x4a, 0x8e, 0x50, 0xa2, 0x5c, 0xcd, 0x59, 0xde, 0x72, 0xb3,
6864 ++ 0x9d, 0xc3, 0x09, 0x8a, 0xab, 0x56, 0xf1, },
6865 ++ { 0x80, 0x96, 0x49, 0x1a, 0x59, 0xa2, 0xc5, 0xd5, 0xa7, 0x20, 0x8a, 0xb7,
6866 ++ 0x27, 0x62, 0x84, 0x43, 0xc6, 0xe1, 0x1b, 0x5d, },
6867 ++ { 0x6b, 0xb7, 0x2b, 0x26, 0x62, 0x14, 0x70, 0x19, 0x3d, 0x4d, 0xac, 0xac,
6868 ++ 0x63, 0x58, 0x5e, 0x94, 0xb5, 0xb7, 0xe8, 0xe8, 0xa2, },
6869 ++ { 0x20, 0xa8, 0xc0, 0xfd, 0x63, 0x3d, 0x6e, 0x98, 0xcf, 0x0c, 0x49, 0x98,
6870 ++ 0xe4, 0x5a, 0xfe, 0x8c, 0xaa, 0x70, 0x82, 0x1c, 0x7b, 0x74, },
6871 ++ { 0xc8, 0xe8, 0xdd, 0xdf, 0x69, 0x30, 0x01, 0xc2, 0x0f, 0x7e, 0x2f, 0x11,
6872 ++ 0xcc, 0x3e, 0x17, 0xa5, 0x69, 0x40, 0x3f, 0x0e, 0x79, 0x7f, 0xcf, },
6873 ++ { 0xdb, 0x61, 0xc0, 0xe2, 0x2e, 0x49, 0x07, 0x31, 0x1d, 0x91, 0x42, 0x8a,
6874 ++ 0xfc, 0x5e, 0xd3, 0xf8, 0x56, 0x1f, 0x2b, 0x73, 0xfd, 0x9f, 0xb2, 0x8e, },
6875 ++ { 0x0c, 0x89, 0x55, 0x0c, 0x1f, 0x59, 0x2c, 0x9d, 0x1b, 0x29, 0x1d, 0x41,
6876 ++ 0x1d, 0xe6, 0x47, 0x8f, 0x8c, 0x2b, 0xea, 0x8f, 0xf0, 0xff, 0x21, 0x70,
6877 ++ 0x88, },
6878 ++ { 0x12, 0x18, 0x95, 0xa6, 0x59, 0xb1, 0x31, 0x24, 0x45, 0x67, 0x55, 0xa4,
6879 ++ 0x1a, 0x2d, 0x48, 0x67, 0x1b, 0x43, 0x88, 0x2d, 0x8e, 0xa0, 0x70, 0xb3,
6880 ++ 0xc6, 0xbb, },
6881 ++ { 0xe7, 0xb1, 0x1d, 0xb2, 0x76, 0x4d, 0x68, 0x68, 0x68, 0x23, 0x02, 0x55,
6882 ++ 0x3a, 0xe2, 0xe5, 0xd5, 0x4b, 0x43, 0xf9, 0x34, 0x77, 0x5c, 0xa1, 0xf5,
6883 ++ 0x55, 0xfd, 0x4f, },
6884 ++ { 0x8c, 0x87, 0x5a, 0x08, 0x3a, 0x73, 0xad, 0x61, 0xe1, 0xe7, 0x99, 0x7e,
6885 ++ 0xf0, 0x5d, 0xe9, 0x5d, 0x16, 0x43, 0x80, 0x2f, 0xd0, 0x66, 0x34, 0xe2,
6886 ++ 0x42, 0x64, 0x3b, 0x1a, },
6887 ++ { 0x39, 0xc1, 0x99, 0xcf, 0x22, 0xbf, 0x16, 0x8f, 0x9f, 0x80, 0x7f, 0x95,
6888 ++ 0x0a, 0x05, 0x67, 0x27, 0xe7, 0x15, 0xdf, 0x9d, 0xb2, 0xfe, 0x1c, 0xb5,
6889 ++ 0x1d, 0x60, 0x8f, 0x8a, 0x1d, },
6890 ++ { 0x9b, 0x6e, 0x08, 0x09, 0x06, 0x73, 0xab, 0x68, 0x02, 0x62, 0x1a, 0xe4,
6891 ++ 0xd4, 0xdf, 0xc7, 0x02, 0x4c, 0x6a, 0x5f, 0xfd, 0x23, 0xac, 0xae, 0x6d,
6892 ++ 0x43, 0xa4, 0x7a, 0x50, 0x60, 0x3c, },
6893 ++ { 0x1d, 0xb4, 0xc6, 0xe1, 0xb1, 0x4b, 0xe3, 0xf2, 0xe2, 0x1a, 0x73, 0x1b,
6894 ++ 0xa0, 0x92, 0xa7, 0xf5, 0xff, 0x8f, 0x8b, 0x5d, 0xdf, 0xa8, 0x04, 0xb3,
6895 ++ 0xb0, 0xf7, 0xcc, 0x12, 0xfa, 0x35, 0x46, },
6896 ++ { 0x49, 0x45, 0x97, 0x11, 0x0f, 0x1c, 0x60, 0x8e, 0xe8, 0x47, 0x30, 0xcf,
6897 ++ 0x60, 0xa8, 0x71, 0xc5, 0x1b, 0xe9, 0x39, 0x4d, 0x49, 0xb6, 0x12, 0x1f,
6898 ++ 0x24, 0xab, 0x37, 0xff, 0x83, 0xc2, 0xe1, 0x3a, },
6899 ++ { 0x60, },
6900 ++ { 0x24, 0x26, },
6901 ++ { 0x47, 0xeb, 0xc9, },
6902 ++ { 0x4a, 0xd0, 0xbc, 0xf0, },
6903 ++ { 0x8e, 0x2b, 0xc9, 0x85, 0x3c, },
6904 ++ { 0xa2, 0x07, 0x15, 0xb8, 0x12, 0x74, },
6905 ++ { 0x0f, 0xdb, 0x5b, 0x33, 0x69, 0xfe, 0x4b, },
6906 ++ { 0xa2, 0x86, 0x54, 0xf4, 0xfd, 0xb2, 0xd4, 0xe6, },
6907 ++ { 0xbb, 0x84, 0x78, 0x49, 0x27, 0x8e, 0x61, 0xda, 0x60, },
6908 ++ { 0x04, 0xc3, 0xcd, 0xaa, 0x8f, 0xa7, 0x03, 0xc9, 0xf9, 0xb6, },
6909 ++ { 0xf8, 0x27, 0x1d, 0x61, 0xdc, 0x21, 0x42, 0xdd, 0xad, 0x92, 0x40, },
6910 ++ { 0x12, 0x87, 0xdf, 0xc2, 0x41, 0x45, 0x5a, 0x36, 0x48, 0x5b, 0x51, 0x2b, },
6911 ++ { 0xbb, 0x37, 0x5d, 0x1f, 0xf1, 0x68, 0x7a, 0xc4, 0xa5, 0xd2, 0xa4, 0x91,
6912 ++ 0x8d, },
6913 ++ { 0x5b, 0x27, 0xd1, 0x04, 0x54, 0x52, 0x9f, 0xa3, 0x47, 0x86, 0x33, 0x33,
6914 ++ 0xbf, 0xa0, },
6915 ++ { 0xcf, 0x04, 0xea, 0xf8, 0x03, 0x2a, 0x43, 0xff, 0xa6, 0x68, 0x21, 0x4c,
6916 ++ 0xd5, 0x4b, 0xed, },
6917 ++ { 0xaf, 0xb8, 0xbc, 0x63, 0x0f, 0x18, 0x4d, 0xe2, 0x7a, 0xdd, 0x46, 0x44,
6918 ++ 0xc8, 0x24, 0x0a, 0xb7, },
6919 ++ { 0x3e, 0xdc, 0x36, 0xe4, 0x89, 0xb1, 0xfa, 0xc6, 0x40, 0x93, 0x2e, 0x75,
6920 ++ 0xb2, 0x15, 0xd1, 0xb1, 0x10, },
6921 ++ { 0x6c, 0xd8, 0x20, 0x3b, 0x82, 0x79, 0xf9, 0xc8, 0xbc, 0x9d, 0xe0, 0x35,
6922 ++ 0xbe, 0x1b, 0x49, 0x1a, 0xbc, 0x3a, },
6923 ++ { 0x78, 0x65, 0x2c, 0xbe, 0x35, 0x67, 0xdc, 0x78, 0xd4, 0x41, 0xf6, 0xc9,
6924 ++ 0xde, 0xde, 0x1f, 0x18, 0x13, 0x31, 0x11, },
6925 ++ { 0x8a, 0x7f, 0xb1, 0x33, 0x8f, 0x0c, 0x3c, 0x0a, 0x06, 0x61, 0xf0, 0x47,
6926 ++ 0x29, 0x1b, 0x29, 0xbc, 0x1c, 0x47, 0xef, 0x7a, },
6927 ++ { 0x65, 0x91, 0xf1, 0xe6, 0xb3, 0x96, 0xd3, 0x8c, 0xc2, 0x4a, 0x59, 0x35,
6928 ++ 0x72, 0x8e, 0x0b, 0x9a, 0x87, 0xca, 0x34, 0x7b, 0x63, },
6929 ++ { 0x5f, 0x08, 0x87, 0x80, 0x56, 0x25, 0x89, 0x77, 0x61, 0x8c, 0x64, 0xa1,
6930 ++ 0x59, 0x6d, 0x59, 0x62, 0xe8, 0x4a, 0xc8, 0x58, 0x99, 0xd1, },
6931 ++ { 0x23, 0x87, 0x1d, 0xed, 0x6f, 0xf2, 0x91, 0x90, 0xe2, 0xfe, 0x43, 0x21,
6932 ++ 0xaf, 0x97, 0xc6, 0xbc, 0xd7, 0x15, 0xc7, 0x2d, 0x08, 0x77, 0x91, },
6933 ++ { 0x90, 0x47, 0x9a, 0x9e, 0x3a, 0xdf, 0xf3, 0xc9, 0x4c, 0x1e, 0xa7, 0xd4,
6934 ++ 0x6a, 0x32, 0x90, 0xfe, 0xb7, 0xb6, 0x7b, 0xfa, 0x96, 0x61, 0xfb, 0xa4, },
6935 ++ { 0xb1, 0x67, 0x60, 0x45, 0xb0, 0x96, 0xc5, 0x15, 0x9f, 0x4d, 0x26, 0xd7,
6936 ++ 0x9d, 0xf1, 0xf5, 0x6d, 0x21, 0x00, 0x94, 0x31, 0x64, 0x94, 0xd3, 0xa7,
6937 ++ 0xd3, },
6938 ++ { 0x02, 0x3e, 0xaf, 0xf3, 0x79, 0x73, 0xa5, 0xf5, 0xcc, 0x7a, 0x7f, 0xfb,
6939 ++ 0x79, 0x2b, 0x85, 0x8c, 0x88, 0x72, 0x06, 0xbe, 0xfe, 0xaf, 0xc1, 0x16,
6940 ++ 0xa6, 0xd6, },
6941 ++ { 0x2a, 0xb0, 0x1a, 0xe5, 0xaa, 0x6e, 0xb3, 0xae, 0x53, 0x85, 0x33, 0x80,
6942 ++ 0x75, 0xae, 0x30, 0xe6, 0xb8, 0x72, 0x42, 0xf6, 0x25, 0x4f, 0x38, 0x88,
6943 ++ 0x55, 0xd1, 0xa9, },
6944 ++ { 0x90, 0xd8, 0x0c, 0xc0, 0x93, 0x4b, 0x4f, 0x9e, 0x65, 0x6c, 0xa1, 0x54,
6945 ++ 0xa6, 0xf6, 0x6e, 0xca, 0xd2, 0xbb, 0x7e, 0x6a, 0x1c, 0xd3, 0xce, 0x46,
6946 ++ 0xef, 0xb0, 0x00, 0x8d, },
6947 ++ { 0xed, 0x9c, 0x49, 0xcd, 0xc2, 0xde, 0x38, 0x0e, 0xe9, 0x98, 0x6c, 0xc8,
6948 ++ 0x90, 0x9e, 0x3c, 0xd4, 0xd3, 0xeb, 0x88, 0x32, 0xc7, 0x28, 0xe3, 0x94,
6949 ++ 0x1c, 0x9f, 0x8b, 0xf3, 0xcb, },
6950 ++ { 0xac, 0xe7, 0x92, 0x16, 0xb4, 0x14, 0xa0, 0xe4, 0x04, 0x79, 0xa2, 0xf4,
6951 ++ 0x31, 0xe6, 0x0c, 0x26, 0xdc, 0xbf, 0x2f, 0x69, 0x1b, 0x55, 0x94, 0x67,
6952 ++ 0xda, 0x0c, 0xd7, 0x32, 0x1f, 0xef, },
6953 ++ { 0x68, 0x63, 0x85, 0x57, 0x95, 0x9e, 0x42, 0x27, 0x41, 0x43, 0x42, 0x02,
6954 ++ 0xa5, 0x78, 0xa7, 0xc6, 0x43, 0xc1, 0x6a, 0xba, 0x70, 0x80, 0xcd, 0x04,
6955 ++ 0xb6, 0x78, 0x76, 0x29, 0xf3, 0xe8, 0xa0, },
6956 ++ { 0xe6, 0xac, 0x8d, 0x9d, 0xf0, 0xc0, 0xf7, 0xf7, 0xe3, 0x3e, 0x4e, 0x28,
6957 ++ 0x0f, 0x59, 0xb2, 0x67, 0x9e, 0x84, 0x34, 0x42, 0x96, 0x30, 0x2b, 0xca,
6958 ++ 0x49, 0xb6, 0xc5, 0x9a, 0x84, 0x59, 0xa7, 0x81, },
6959 ++ { 0x7e, },
6960 ++ { 0x1e, 0x21, },
6961 ++ { 0x26, 0xd3, 0xdd, },
6962 ++ { 0x2c, 0xd4, 0xb3, 0x3d, },
6963 ++ { 0x86, 0x7b, 0x76, 0x3c, 0xf0, },
6964 ++ { 0x12, 0xc3, 0x70, 0x1d, 0x55, 0x18, },
6965 ++ { 0x96, 0xc2, 0xbd, 0x61, 0x55, 0xf4, 0x24, },
6966 ++ { 0x20, 0x51, 0xf7, 0x86, 0x58, 0x8f, 0x07, 0x2a, },
6967 ++ { 0x93, 0x15, 0xa8, 0x1d, 0xda, 0x97, 0xee, 0x0e, 0x6c, },
6968 ++ { 0x39, 0x93, 0xdf, 0xd5, 0x0e, 0xca, 0xdc, 0x7a, 0x92, 0xce, },
6969 ++ { 0x60, 0xd5, 0xfd, 0xf5, 0x1b, 0x26, 0x82, 0x26, 0x73, 0x02, 0xbc, },
6970 ++ { 0x98, 0xf2, 0x34, 0xe1, 0xf5, 0xfb, 0x00, 0xac, 0x10, 0x4a, 0x38, 0x9f, },
6971 ++ { 0xda, 0x3a, 0x92, 0x8a, 0xd0, 0xcd, 0x12, 0xcd, 0x15, 0xbb, 0xab, 0x77,
6972 ++ 0x66, },
6973 ++ { 0xa2, 0x92, 0x1a, 0xe5, 0xca, 0x0c, 0x30, 0x75, 0xeb, 0xaf, 0x00, 0x31,
6974 ++ 0x55, 0x66, },
6975 ++ { 0x06, 0xea, 0xfd, 0x3e, 0x86, 0x38, 0x62, 0x4e, 0xa9, 0x12, 0xa4, 0x12,
6976 ++ 0x43, 0xbf, 0xa1, },
6977 ++ { 0xe4, 0x71, 0x7b, 0x94, 0xdb, 0xa0, 0xd2, 0xff, 0x9b, 0xeb, 0xad, 0x8e,
6978 ++ 0x95, 0x8a, 0xc5, 0xed, },
6979 ++ { 0x25, 0x5a, 0x77, 0x71, 0x41, 0x0e, 0x7a, 0xe9, 0xed, 0x0c, 0x10, 0xef,
6980 ++ 0xf6, 0x2b, 0x3a, 0xba, 0x60, },
6981 ++ { 0xee, 0xe2, 0xa3, 0x67, 0x64, 0x1d, 0xc6, 0x04, 0xc4, 0xe1, 0x68, 0xd2,
6982 ++ 0x6e, 0xd2, 0x91, 0x75, 0x53, 0x07, },
6983 ++ { 0xe0, 0xf6, 0x4d, 0x8f, 0x68, 0xfc, 0x06, 0x7e, 0x18, 0x79, 0x7f, 0x2b,
6984 ++ 0x6d, 0xef, 0x46, 0x7f, 0xab, 0xb2, 0xad, },
6985 ++ { 0x3d, 0x35, 0x88, 0x9f, 0x2e, 0xcf, 0x96, 0x45, 0x07, 0x60, 0x71, 0x94,
6986 ++ 0x00, 0x8d, 0xbf, 0xf4, 0xef, 0x46, 0x2e, 0x3c, },
6987 ++ { 0x43, 0xcf, 0x98, 0xf7, 0x2d, 0xf4, 0x17, 0xe7, 0x8c, 0x05, 0x2d, 0x9b,
6988 ++ 0x24, 0xfb, 0x4d, 0xea, 0x4a, 0xec, 0x01, 0x25, 0x29, },
6989 ++ { 0x8e, 0x73, 0x9a, 0x78, 0x11, 0xfe, 0x48, 0xa0, 0x3b, 0x1a, 0x26, 0xdf,
6990 ++ 0x25, 0xe9, 0x59, 0x1c, 0x70, 0x07, 0x9f, 0xdc, 0xa0, 0xa6, },
6991 ++ { 0xe8, 0x47, 0x71, 0xc7, 0x3e, 0xdf, 0xb5, 0x13, 0xb9, 0x85, 0x13, 0xa8,
6992 ++ 0x54, 0x47, 0x6e, 0x59, 0x96, 0x09, 0x13, 0x5f, 0x82, 0x16, 0x0b, },
6993 ++ { 0xfb, 0xc0, 0x8c, 0x03, 0x21, 0xb3, 0xc4, 0xb5, 0x43, 0x32, 0x6c, 0xea,
6994 ++ 0x7f, 0xa8, 0x43, 0x91, 0xe8, 0x4e, 0x3f, 0xbf, 0x45, 0x58, 0x6a, 0xa3, },
6995 ++ { 0x55, 0xf8, 0xf3, 0x00, 0x76, 0x09, 0xef, 0x69, 0x5d, 0xd2, 0x8a, 0xf2,
6996 ++ 0x65, 0xc3, 0xcb, 0x9b, 0x43, 0xfd, 0xb1, 0x7e, 0x7f, 0xa1, 0x94, 0xb0,
6997 ++ 0xd7, },
6998 ++ { 0xaa, 0x13, 0xc1, 0x51, 0x40, 0x6d, 0x8d, 0x4c, 0x0a, 0x95, 0x64, 0x7b,
6999 ++ 0xd1, 0x96, 0xb6, 0x56, 0xb4, 0x5b, 0xcf, 0xd6, 0xd9, 0x15, 0x97, 0xdd,
7000 ++ 0xb6, 0xef, },
7001 ++ { 0xaf, 0xb7, 0x36, 0xb0, 0x04, 0xdb, 0xd7, 0x9c, 0x9a, 0x44, 0xc4, 0xf6,
7002 ++ 0x1f, 0x12, 0x21, 0x2d, 0x59, 0x30, 0x54, 0xab, 0x27, 0x61, 0xa3, 0x57,
7003 ++ 0xef, 0xf8, 0x53, },
7004 ++ { 0x97, 0x34, 0x45, 0x3e, 0xce, 0x7c, 0x35, 0xa2, 0xda, 0x9f, 0x4b, 0x46,
7005 ++ 0x6c, 0x11, 0x67, 0xff, 0x2f, 0x76, 0x58, 0x15, 0x71, 0xfa, 0x44, 0x89,
7006 ++ 0x89, 0xfd, 0xf7, 0x99, },
7007 ++ { 0x1f, 0xb1, 0x62, 0xeb, 0x83, 0xc5, 0x9c, 0x89, 0xf9, 0x2c, 0xd2, 0x03,
7008 ++ 0x61, 0xbc, 0xbb, 0xa5, 0x74, 0x0e, 0x9b, 0x7e, 0x82, 0x3e, 0x70, 0x0a,
7009 ++ 0xa9, 0x8f, 0x2b, 0x59, 0xfb, },
7010 ++ { 0xf8, 0xca, 0x5e, 0x3a, 0x4f, 0x9e, 0x10, 0x69, 0x10, 0xd5, 0x4c, 0xeb,
7011 ++ 0x1a, 0x0f, 0x3c, 0x6a, 0x98, 0xf5, 0xb0, 0x97, 0x5b, 0x37, 0x2f, 0x0d,
7012 ++ 0xbd, 0x42, 0x4b, 0x69, 0xa1, 0x82, },
7013 ++ { 0x12, 0x8c, 0x6d, 0x52, 0x08, 0xef, 0x74, 0xb2, 0xe6, 0xaa, 0xd3, 0xb0,
7014 ++ 0x26, 0xb0, 0xd9, 0x94, 0xb6, 0x11, 0x45, 0x0e, 0x36, 0x71, 0x14, 0x2d,
7015 ++ 0x41, 0x8c, 0x21, 0x53, 0x31, 0xe9, 0x68, },
7016 ++ { 0xee, 0xea, 0x0d, 0x89, 0x47, 0x7e, 0x72, 0xd1, 0xd8, 0xce, 0x58, 0x4c,
7017 ++ 0x94, 0x1f, 0x0d, 0x51, 0x08, 0xa3, 0xb6, 0x3d, 0xe7, 0x82, 0x46, 0x92,
7018 ++ 0xd6, 0x98, 0x6b, 0x07, 0x10, 0x65, 0x52, 0x65, },
7019 ++};
7020 ++
7021 ++bool __init blake2s_selftest(void)
7022 ++{
7023 ++ u8 key[BLAKE2S_KEY_SIZE];
7024 ++ u8 buf[ARRAY_SIZE(blake2s_testvecs)];
7025 ++ u8 hash[BLAKE2S_HASH_SIZE];
7026 ++ struct blake2s_state state;
7027 ++ bool success = true;
7028 ++ int i, l;
7029 ++
7030 ++ key[0] = key[1] = 1;
7031 ++ for (i = 2; i < sizeof(key); ++i)
7032 ++ key[i] = key[i - 2] + key[i - 1];
7033 ++
7034 ++ for (i = 0; i < sizeof(buf); ++i)
7035 ++ buf[i] = (u8)i;
7036 ++
7037 ++ for (i = l = 0; i < ARRAY_SIZE(blake2s_testvecs); l = (l + 37) % ++i) {
7038 ++ int outlen = 1 + i % BLAKE2S_HASH_SIZE;
7039 ++ int keylen = (13 * i) % (BLAKE2S_KEY_SIZE + 1);
7040 ++
7041 ++ blake2s(hash, buf, key + BLAKE2S_KEY_SIZE - keylen, outlen, i,
7042 ++ keylen);
7043 ++ if (memcmp(hash, blake2s_testvecs[i], outlen)) {
7044 ++ pr_err("blake2s self-test %d: FAIL\n", i + 1);
7045 ++ success = false;
7046 ++ }
7047 ++
7048 ++ if (!keylen)
7049 ++ blake2s_init(&state, outlen);
7050 ++ else
7051 ++ blake2s_init_key(&state, outlen,
7052 ++ key + BLAKE2S_KEY_SIZE - keylen,
7053 ++ keylen);
7054 ++
7055 ++ blake2s_update(&state, buf, l);
7056 ++ blake2s_update(&state, buf + l, i - l);
7057 ++ blake2s_final(&state, hash);
7058 ++ if (memcmp(hash, blake2s_testvecs[i], outlen)) {
7059 ++ pr_err("blake2s init/update/final self-test %d: FAIL\n",
7060 ++ i + 1);
7061 ++ success = false;
7062 ++ }
7063 ++ }
7064 ++
7065 ++ return success;
7066 ++}
7067 +diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
7068 +new file mode 100644
7069 +index 0000000000000..536fce87555b3
7070 +--- /dev/null
7071 ++++ b/lib/crypto/blake2s.c
7072 +@@ -0,0 +1,78 @@
7073 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
7074 ++/*
7075 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
7076 ++ *
7077 ++ * This is an implementation of the BLAKE2s hash and PRF functions.
7078 ++ *
7079 ++ * Information: https://blake2.net/
7080 ++ *
7081 ++ */
7082 ++
7083 ++#include <crypto/internal/blake2s.h>
7084 ++#include <linux/types.h>
7085 ++#include <linux/string.h>
7086 ++#include <linux/kernel.h>
7087 ++#include <linux/module.h>
7088 ++#include <linux/init.h>
7089 ++#include <linux/bug.h>
7090 ++#include <asm/unaligned.h>
7091 ++
7092 ++bool blake2s_selftest(void);
7093 ++
7094 ++void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
7095 ++{
7096 ++ const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
7097 ++
7098 ++ if (unlikely(!inlen))
7099 ++ return;
7100 ++ if (inlen > fill) {
7101 ++ memcpy(state->buf + state->buflen, in, fill);
7102 ++ blake2s_compress_generic(state, state->buf, 1,
7103 ++ BLAKE2S_BLOCK_SIZE);
7104 ++ state->buflen = 0;
7105 ++ in += fill;
7106 ++ inlen -= fill;
7107 ++ }
7108 ++ if (inlen > BLAKE2S_BLOCK_SIZE) {
7109 ++ const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
7110 ++ /* Hash one less (full) block than strictly possible */
7111 ++ blake2s_compress_generic(state, in, nblocks - 1,
7112 ++ BLAKE2S_BLOCK_SIZE);
7113 ++ in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
7114 ++ inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
7115 ++ }
7116 ++ memcpy(state->buf + state->buflen, in, inlen);
7117 ++ state->buflen += inlen;
7118 ++}
7119 ++EXPORT_SYMBOL(blake2s_update);
7120 ++
7121 ++void blake2s_final(struct blake2s_state *state, u8 *out)
7122 ++{
7123 ++ WARN_ON(IS_ENABLED(DEBUG) && !out);
7124 ++ blake2s_set_lastblock(state);
7125 ++ memset(state->buf + state->buflen, 0,
7126 ++ BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
7127 ++ blake2s_compress_generic(state, state->buf, 1, state->buflen);
7128 ++ cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
7129 ++ memcpy(out, state->h, state->outlen);
7130 ++ memzero_explicit(state, sizeof(*state));
7131 ++}
7132 ++EXPORT_SYMBOL(blake2s_final);
7133 ++
7134 ++static int __init mod_init(void)
7135 ++{
7136 ++ if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
7137 ++ WARN_ON(!blake2s_selftest()))
7138 ++ return -ENODEV;
7139 ++ return 0;
7140 ++}
7141 ++
7142 ++static void __exit mod_exit(void)
7143 ++{
7144 ++}
7145 ++
7146 ++module_init(mod_init);
7147 ++module_exit(mod_exit);
7148 ++MODULE_LICENSE("GPL v2");
7149 ++MODULE_DESCRIPTION("BLAKE2s hash function");
7150 ++MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
7151 +diff --git a/lib/random32.c b/lib/random32.c
7152 +index 9085b1172015e..339624191b515 100644
7153 +--- a/lib/random32.c
7154 ++++ b/lib/random32.c
7155 +@@ -38,6 +38,9 @@
7156 + #include <linux/jiffies.h>
7157 + #include <linux/random.h>
7158 + #include <linux/sched.h>
7159 ++#include <linux/bitops.h>
7160 ++#include <linux/slab.h>
7161 ++#include <linux/notifier.h>
7162 + #include <asm/unaligned.h>
7163 +
7164 + /**
7165 +@@ -544,9 +547,11 @@ static void prandom_reseed(struct timer_list *unused)
7166 + * To avoid worrying about whether it's safe to delay that interrupt
7167 + * long enough to seed all CPUs, just schedule an immediate timer event.
7168 + */
7169 +-static void prandom_timer_start(struct random_ready_callback *unused)
7170 ++static int prandom_timer_start(struct notifier_block *nb,
7171 ++ unsigned long action, void *data)
7172 + {
7173 + mod_timer(&seed_timer, jiffies);
7174 ++ return 0;
7175 + }
7176 +
7177 + /*
7178 +@@ -555,13 +560,13 @@ static void prandom_timer_start(struct random_ready_callback *unused)
7179 + */
7180 + static int __init prandom_init_late(void)
7181 + {
7182 +- static struct random_ready_callback random_ready = {
7183 +- .func = prandom_timer_start
7184 ++ static struct notifier_block random_ready = {
7185 ++ .notifier_call = prandom_timer_start
7186 + };
7187 +- int ret = add_random_ready_callback(&random_ready);
7188 ++ int ret = register_random_ready_notifier(&random_ready);
7189 +
7190 + if (ret == -EALREADY) {
7191 +- prandom_timer_start(&random_ready);
7192 ++ prandom_timer_start(&random_ready, 0, NULL);
7193 + ret = 0;
7194 + }
7195 + return ret;
7196 +diff --git a/lib/sha1.c b/lib/sha1.c
7197 +index 1d96d2c02b826..bad46695476bd 100644
7198 +--- a/lib/sha1.c
7199 ++++ b/lib/sha1.c
7200 +@@ -10,6 +10,7 @@
7201 + #include <linux/export.h>
7202 + #include <linux/bitops.h>
7203 + #include <linux/cryptohash.h>
7204 ++#include <linux/string.h>
7205 + #include <asm/unaligned.h>
7206 +
7207 + /*
7208 +@@ -55,7 +56,8 @@
7209 + #define SHA_ROUND(t, input, fn, constant, A, B, C, D, E) do { \
7210 + __u32 TEMP = input(t); setW(t, TEMP); \
7211 + E += TEMP + rol32(A,5) + (fn) + (constant); \
7212 +- B = ror32(B, 2); } while (0)
7213 ++ B = ror32(B, 2); \
7214 ++ TEMP = E; E = D; D = C; C = B; B = A; A = TEMP; } while (0)
7215 +
7216 + #define T_0_15(t, A, B, C, D, E) SHA_ROUND(t, SHA_SRC, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
7217 + #define T_16_19(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
7218 +@@ -82,6 +84,7 @@
7219 + void sha_transform(__u32 *digest, const char *data, __u32 *array)
7220 + {
7221 + __u32 A, B, C, D, E;
7222 ++ unsigned int i = 0;
7223 +
7224 + A = digest[0];
7225 + B = digest[1];
7226 +@@ -90,94 +93,24 @@ void sha_transform(__u32 *digest, const char *data, __u32 *array)
7227 + E = digest[4];
7228 +
7229 + /* Round 1 - iterations 0-16 take their input from 'data' */
7230 +- T_0_15( 0, A, B, C, D, E);
7231 +- T_0_15( 1, E, A, B, C, D);
7232 +- T_0_15( 2, D, E, A, B, C);
7233 +- T_0_15( 3, C, D, E, A, B);
7234 +- T_0_15( 4, B, C, D, E, A);
7235 +- T_0_15( 5, A, B, C, D, E);
7236 +- T_0_15( 6, E, A, B, C, D);
7237 +- T_0_15( 7, D, E, A, B, C);
7238 +- T_0_15( 8, C, D, E, A, B);
7239 +- T_0_15( 9, B, C, D, E, A);
7240 +- T_0_15(10, A, B, C, D, E);
7241 +- T_0_15(11, E, A, B, C, D);
7242 +- T_0_15(12, D, E, A, B, C);
7243 +- T_0_15(13, C, D, E, A, B);
7244 +- T_0_15(14, B, C, D, E, A);
7245 +- T_0_15(15, A, B, C, D, E);
7246 ++ for (; i < 16; ++i)
7247 ++ T_0_15(i, A, B, C, D, E);
7248 +
7249 + /* Round 1 - tail. Input from 512-bit mixing array */
7250 +- T_16_19(16, E, A, B, C, D);
7251 +- T_16_19(17, D, E, A, B, C);
7252 +- T_16_19(18, C, D, E, A, B);
7253 +- T_16_19(19, B, C, D, E, A);
7254 ++ for (; i < 20; ++i)
7255 ++ T_16_19(i, A, B, C, D, E);
7256 +
7257 + /* Round 2 */
7258 +- T_20_39(20, A, B, C, D, E);
7259 +- T_20_39(21, E, A, B, C, D);
7260 +- T_20_39(22, D, E, A, B, C);
7261 +- T_20_39(23, C, D, E, A, B);
7262 +- T_20_39(24, B, C, D, E, A);
7263 +- T_20_39(25, A, B, C, D, E);
7264 +- T_20_39(26, E, A, B, C, D);
7265 +- T_20_39(27, D, E, A, B, C);
7266 +- T_20_39(28, C, D, E, A, B);
7267 +- T_20_39(29, B, C, D, E, A);
7268 +- T_20_39(30, A, B, C, D, E);
7269 +- T_20_39(31, E, A, B, C, D);
7270 +- T_20_39(32, D, E, A, B, C);
7271 +- T_20_39(33, C, D, E, A, B);
7272 +- T_20_39(34, B, C, D, E, A);
7273 +- T_20_39(35, A, B, C, D, E);
7274 +- T_20_39(36, E, A, B, C, D);
7275 +- T_20_39(37, D, E, A, B, C);
7276 +- T_20_39(38, C, D, E, A, B);
7277 +- T_20_39(39, B, C, D, E, A);
7278 ++ for (; i < 40; ++i)
7279 ++ T_20_39(i, A, B, C, D, E);
7280 +
7281 + /* Round 3 */
7282 +- T_40_59(40, A, B, C, D, E);
7283 +- T_40_59(41, E, A, B, C, D);
7284 +- T_40_59(42, D, E, A, B, C);
7285 +- T_40_59(43, C, D, E, A, B);
7286 +- T_40_59(44, B, C, D, E, A);
7287 +- T_40_59(45, A, B, C, D, E);
7288 +- T_40_59(46, E, A, B, C, D);
7289 +- T_40_59(47, D, E, A, B, C);
7290 +- T_40_59(48, C, D, E, A, B);
7291 +- T_40_59(49, B, C, D, E, A);
7292 +- T_40_59(50, A, B, C, D, E);
7293 +- T_40_59(51, E, A, B, C, D);
7294 +- T_40_59(52, D, E, A, B, C);
7295 +- T_40_59(53, C, D, E, A, B);
7296 +- T_40_59(54, B, C, D, E, A);
7297 +- T_40_59(55, A, B, C, D, E);
7298 +- T_40_59(56, E, A, B, C, D);
7299 +- T_40_59(57, D, E, A, B, C);
7300 +- T_40_59(58, C, D, E, A, B);
7301 +- T_40_59(59, B, C, D, E, A);
7302 ++ for (; i < 60; ++i)
7303 ++ T_40_59(i, A, B, C, D, E);
7304 +
7305 + /* Round 4 */
7306 +- T_60_79(60, A, B, C, D, E);
7307 +- T_60_79(61, E, A, B, C, D);
7308 +- T_60_79(62, D, E, A, B, C);
7309 +- T_60_79(63, C, D, E, A, B);
7310 +- T_60_79(64, B, C, D, E, A);
7311 +- T_60_79(65, A, B, C, D, E);
7312 +- T_60_79(66, E, A, B, C, D);
7313 +- T_60_79(67, D, E, A, B, C);
7314 +- T_60_79(68, C, D, E, A, B);
7315 +- T_60_79(69, B, C, D, E, A);
7316 +- T_60_79(70, A, B, C, D, E);
7317 +- T_60_79(71, E, A, B, C, D);
7318 +- T_60_79(72, D, E, A, B, C);
7319 +- T_60_79(73, C, D, E, A, B);
7320 +- T_60_79(74, B, C, D, E, A);
7321 +- T_60_79(75, A, B, C, D, E);
7322 +- T_60_79(76, E, A, B, C, D);
7323 +- T_60_79(77, D, E, A, B, C);
7324 +- T_60_79(78, C, D, E, A, B);
7325 +- T_60_79(79, B, C, D, E, A);
7326 ++ for (; i < 80; ++i)
7327 ++ T_60_79(i, A, B, C, D, E);
7328 +
7329 + digest[0] += A;
7330 + digest[1] += B;
7331 +diff --git a/lib/siphash.c b/lib/siphash.c
7332 +index e632ee40aac1a..5b34b5c839887 100644
7333 +--- a/lib/siphash.c
7334 ++++ b/lib/siphash.c
7335 +@@ -18,19 +18,13 @@
7336 + #include <asm/word-at-a-time.h>
7337 + #endif
7338 +
7339 +-#define SIPROUND \
7340 +- do { \
7341 +- v0 += v1; v1 = rol64(v1, 13); v1 ^= v0; v0 = rol64(v0, 32); \
7342 +- v2 += v3; v3 = rol64(v3, 16); v3 ^= v2; \
7343 +- v0 += v3; v3 = rol64(v3, 21); v3 ^= v0; \
7344 +- v2 += v1; v1 = rol64(v1, 17); v1 ^= v2; v2 = rol64(v2, 32); \
7345 +- } while (0)
7346 ++#define SIPROUND SIPHASH_PERMUTATION(v0, v1, v2, v3)
7347 +
7348 + #define PREAMBLE(len) \
7349 +- u64 v0 = 0x736f6d6570736575ULL; \
7350 +- u64 v1 = 0x646f72616e646f6dULL; \
7351 +- u64 v2 = 0x6c7967656e657261ULL; \
7352 +- u64 v3 = 0x7465646279746573ULL; \
7353 ++ u64 v0 = SIPHASH_CONST_0; \
7354 ++ u64 v1 = SIPHASH_CONST_1; \
7355 ++ u64 v2 = SIPHASH_CONST_2; \
7356 ++ u64 v3 = SIPHASH_CONST_3; \
7357 + u64 b = ((u64)(len)) << 56; \
7358 + v3 ^= key->key[1]; \
7359 + v2 ^= key->key[0]; \
7360 +@@ -389,19 +383,13 @@ u32 hsiphash_4u32(const u32 first, const u32 second, const u32 third,
7361 + }
7362 + EXPORT_SYMBOL(hsiphash_4u32);
7363 + #else
7364 +-#define HSIPROUND \
7365 +- do { \
7366 +- v0 += v1; v1 = rol32(v1, 5); v1 ^= v0; v0 = rol32(v0, 16); \
7367 +- v2 += v3; v3 = rol32(v3, 8); v3 ^= v2; \
7368 +- v0 += v3; v3 = rol32(v3, 7); v3 ^= v0; \
7369 +- v2 += v1; v1 = rol32(v1, 13); v1 ^= v2; v2 = rol32(v2, 16); \
7370 +- } while (0)
7371 ++#define HSIPROUND HSIPHASH_PERMUTATION(v0, v1, v2, v3)
7372 +
7373 + #define HPREAMBLE(len) \
7374 +- u32 v0 = 0; \
7375 +- u32 v1 = 0; \
7376 +- u32 v2 = 0x6c796765U; \
7377 +- u32 v3 = 0x74656462U; \
7378 ++ u32 v0 = HSIPHASH_CONST_0; \
7379 ++ u32 v1 = HSIPHASH_CONST_1; \
7380 ++ u32 v2 = HSIPHASH_CONST_2; \
7381 ++ u32 v3 = HSIPHASH_CONST_3; \
7382 + u32 b = ((u32)(len)) << 24; \
7383 + v3 ^= key->key[1]; \
7384 + v2 ^= key->key[0]; \
7385 +diff --git a/lib/vsprintf.c b/lib/vsprintf.c
7386 +index c2619510636eb..5e672480d3be2 100644
7387 +--- a/lib/vsprintf.c
7388 ++++ b/lib/vsprintf.c
7389 +@@ -1700,14 +1700,16 @@ static void enable_ptr_key_workfn(struct work_struct *work)
7390 +
7391 + static DECLARE_WORK(enable_ptr_key_work, enable_ptr_key_workfn);
7392 +
7393 +-static void fill_random_ptr_key(struct random_ready_callback *unused)
7394 ++static int fill_random_ptr_key(struct notifier_block *nb,
7395 ++ unsigned long action, void *data)
7396 + {
7397 + /* This may be in an interrupt handler. */
7398 + queue_work(system_unbound_wq, &enable_ptr_key_work);
7399 ++ return 0;
7400 + }
7401 +
7402 +-static struct random_ready_callback random_ready = {
7403 +- .func = fill_random_ptr_key
7404 ++static struct notifier_block random_ready = {
7405 ++ .notifier_call = fill_random_ptr_key
7406 + };
7407 +
7408 + static int __init initialize_ptr_random(void)
7409 +@@ -1721,7 +1723,7 @@ static int __init initialize_ptr_random(void)
7410 + return 0;
7411 + }
7412 +
7413 +- ret = add_random_ready_callback(&random_ready);
7414 ++ ret = register_random_ready_notifier(&random_ready);
7415 + if (!ret) {
7416 + return 0;
7417 + } else if (ret == -EALREADY) {
7418 +diff --git a/mm/util.c b/mm/util.c
7419 +index 621afcea2bfa8..e63eeb95f0f0a 100644
7420 +--- a/mm/util.c
7421 ++++ b/mm/util.c
7422 +@@ -14,6 +14,7 @@
7423 + #include <linux/hugetlb.h>
7424 + #include <linux/vmalloc.h>
7425 + #include <linux/userfaultfd_k.h>
7426 ++#include <linux/random.h>
7427 +
7428 + #include <asm/sections.h>
7429 + #include <linux/uaccess.h>
7430 +@@ -286,6 +287,38 @@ int vma_is_stack_for_current(struct vm_area_struct *vma)
7431 + return (vma->vm_start <= KSTK_ESP(t) && vma->vm_end >= KSTK_ESP(t));
7432 + }
7433 +
7434 ++/**
7435 ++ * randomize_page - Generate a random, page aligned address
7436 ++ * @start: The smallest acceptable address the caller will take.
7437 ++ * @range: The size of the area, starting at @start, within which the
7438 ++ * random address must fall.
7439 ++ *
7440 ++ * If @start + @range would overflow, @range is capped.
7441 ++ *
7442 ++ * NOTE: Historical use of randomize_range, which this replaces, presumed that
7443 ++ * @start was already page aligned. We now align it regardless.
7444 ++ *
7445 ++ * Return: A page aligned address within [start, start + range). On error,
7446 ++ * @start is returned.
7447 ++ */
7448 ++unsigned long randomize_page(unsigned long start, unsigned long range)
7449 ++{
7450 ++ if (!PAGE_ALIGNED(start)) {
7451 ++ range -= PAGE_ALIGN(start) - start;
7452 ++ start = PAGE_ALIGN(start);
7453 ++ }
7454 ++
7455 ++ if (start > ULONG_MAX - range)
7456 ++ range = ULONG_MAX - start;
7457 ++
7458 ++ range >>= PAGE_SHIFT;
7459 ++
7460 ++ if (range == 0)
7461 ++ return start;
7462 ++
7463 ++ return start + (get_random_long() % range << PAGE_SHIFT);
7464 ++}
7465 ++
7466 + #if defined(CONFIG_MMU) && !defined(HAVE_ARCH_PICK_MMAP_LAYOUT)
7467 + void arch_pick_mmap_layout(struct mm_struct *mm, struct rlimit *rlim_stack)
7468 + {
7469 +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
7470 +index 0a8aec3f37cc6..5295a579ec820 100644
7471 +--- a/net/ipv4/inet_hashtables.c
7472 ++++ b/net/ipv4/inet_hashtables.c
7473 +@@ -718,12 +718,14 @@ EXPORT_SYMBOL_GPL(inet_unhash);
7474 + * Note that we use 32bit integers (vs RFC 'short integers')
7475 + * because 2^16 is not a multiple of num_ephemeral and this
7476 + * property might be used by clever attacker.
7477 +- * RFC claims using TABLE_LENGTH=10 buckets gives an improvement,
7478 +- * we use 256 instead to really give more isolation and
7479 +- * privacy, this only consumes 1 KB of kernel memory.
7480 ++ * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though
7481 ++ * attacks were since demonstrated, thus we use 65536 instead to really
7482 ++ * give more isolation and privacy, at the expense of 256kB of kernel
7483 ++ * memory.
7484 + */
7485 +-#define INET_TABLE_PERTURB_SHIFT 8
7486 +-static u32 table_perturb[1 << INET_TABLE_PERTURB_SHIFT];
7487 ++#define INET_TABLE_PERTURB_SHIFT 16
7488 ++#define INET_TABLE_PERTURB_SIZE (1 << INET_TABLE_PERTURB_SHIFT)
7489 ++static u32 *table_perturb;
7490 +
7491 + int __inet_hash_connect(struct inet_timewait_death_row *death_row,
7492 + struct sock *sk, u64 port_offset,
7493 +@@ -763,10 +765,11 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row,
7494 + if (likely(remaining > 1))
7495 + remaining &= ~1U;
7496 +
7497 +- net_get_random_once(table_perturb, sizeof(table_perturb));
7498 +- index = hash_32(port_offset, INET_TABLE_PERTURB_SHIFT);
7499 ++ net_get_random_once(table_perturb,
7500 ++ INET_TABLE_PERTURB_SIZE * sizeof(*table_perturb));
7501 ++ index = port_offset & (INET_TABLE_PERTURB_SIZE - 1);
7502 +
7503 +- offset = READ_ONCE(table_perturb[index]) + port_offset;
7504 ++ offset = READ_ONCE(table_perturb[index]) + (port_offset >> 32);
7505 + offset %= remaining;
7506 +
7507 + /* In first pass we try ports of @low parity.
7508 +@@ -821,6 +824,12 @@ next_port:
7509 + return -EADDRNOTAVAIL;
7510 +
7511 + ok:
7512 ++ /* Here we want to add a little bit of randomness to the next source
7513 ++ * port that will be chosen. We use a max() with a random here so that
7514 ++ * on low contention the randomness is maximal and on high contention
7515 ++ * it may be inexistent.
7516 ++ */
7517 ++ i = max_t(int, i, (prandom_u32() & 7) * 2);
7518 + WRITE_ONCE(table_perturb[index], READ_ONCE(table_perturb[index]) + i + 2);
7519 +
7520 + /* Head lock still held and bh's disabled */
7521 +@@ -890,6 +899,12 @@ void __init inet_hashinfo2_init(struct inet_hashinfo *h, const char *name,
7522 + INIT_HLIST_HEAD(&h->lhash2[i].head);
7523 + h->lhash2[i].count = 0;
7524 + }
7525 ++
7526 ++ /* this one is used for source ports of outgoing connections */
7527 ++ table_perturb = kmalloc_array(INET_TABLE_PERTURB_SIZE,
7528 ++ sizeof(*table_perturb), GFP_KERNEL);
7529 ++ if (!table_perturb)
7530 ++ panic("TCP: failed to alloc table_perturb");
7531 + }
7532 +
7533 + int inet_ehash_locks_alloc(struct inet_hashinfo *hashinfo)
7534 +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
7535 +index 2ff25c445b821..9dae10d8880cf 100644
7536 +--- a/net/l2tp/l2tp_ip6.c
7537 ++++ b/net/l2tp/l2tp_ip6.c
7538 +@@ -519,14 +519,15 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
7539 + struct ipcm6_cookie ipc6;
7540 + int addr_len = msg->msg_namelen;
7541 + int transhdrlen = 4; /* zero session-id */
7542 +- int ulen = len + transhdrlen;
7543 ++ int ulen;
7544 + int err;
7545 +
7546 + /* Rough check on arithmetic overflow,
7547 + better check is made in ip6_append_data().
7548 + */
7549 +- if (len > INT_MAX)
7550 ++ if (len > INT_MAX - transhdrlen)
7551 + return -EMSGSIZE;
7552 ++ ulen = len + transhdrlen;
7553 +
7554 + /* Mirror BSD error message compatibility */
7555 + if (msg->msg_flags & MSG_OOB)
7556 +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
7557 +index 8b75afe412842..091202b84b6e6 100644
7558 +--- a/net/openvswitch/actions.c
7559 ++++ b/net/openvswitch/actions.c
7560 +@@ -443,6 +443,7 @@ static void set_ip_addr(struct sk_buff *skb, struct iphdr *nh,
7561 + update_ip_l4_checksum(skb, nh, *addr, new_addr);
7562 + csum_replace4(&nh->check, *addr, new_addr);
7563 + skb_clear_hash(skb);
7564 ++ ovs_ct_clear(skb, NULL);
7565 + *addr = new_addr;
7566 + }
7567 +
7568 +@@ -490,6 +491,7 @@ static void set_ipv6_addr(struct sk_buff *skb, u8 l4_proto,
7569 + update_ipv6_checksum(skb, l4_proto, addr, new_addr);
7570 +
7571 + skb_clear_hash(skb);
7572 ++ ovs_ct_clear(skb, NULL);
7573 + memcpy(addr, new_addr, sizeof(__be32[4]));
7574 + }
7575 +
7576 +@@ -730,6 +732,7 @@ static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key,
7577 + static void set_tp_port(struct sk_buff *skb, __be16 *port,
7578 + __be16 new_port, __sum16 *check)
7579 + {
7580 ++ ovs_ct_clear(skb, NULL);
7581 + inet_proto_csum_replace2(check, skb, *port, new_port, false);
7582 + *port = new_port;
7583 + }
7584 +@@ -769,6 +772,7 @@ static int set_udp(struct sk_buff *skb, struct sw_flow_key *flow_key,
7585 + uh->dest = dst;
7586 + flow_key->tp.src = src;
7587 + flow_key->tp.dst = dst;
7588 ++ ovs_ct_clear(skb, NULL);
7589 + }
7590 +
7591 + skb_clear_hash(skb);
7592 +@@ -831,6 +835,8 @@ static int set_sctp(struct sk_buff *skb, struct sw_flow_key *flow_key,
7593 + sh->checksum = old_csum ^ old_correct_csum ^ new_csum;
7594 +
7595 + skb_clear_hash(skb);
7596 ++ ovs_ct_clear(skb, NULL);
7597 ++
7598 + flow_key->tp.src = sh->source;
7599 + flow_key->tp.dst = sh->dest;
7600 +
7601 +diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
7602 +index fb13fcfedaf4f..0777c8d416f1b 100644
7603 +--- a/net/openvswitch/conntrack.c
7604 ++++ b/net/openvswitch/conntrack.c
7605 +@@ -1303,7 +1303,8 @@ int ovs_ct_clear(struct sk_buff *skb, struct sw_flow_key *key)
7606 + if (skb_nfct(skb)) {
7607 + nf_conntrack_put(skb_nfct(skb));
7608 + nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
7609 +- ovs_ct_fill_key(skb, key);
7610 ++ if (key)
7611 ++ ovs_ct_fill_key(skb, key);
7612 + }
7613 +
7614 + return 0;
7615 +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
7616 +index 180f5feb77177..eba94cf3d2d01 100644
7617 +--- a/net/openvswitch/flow_netlink.c
7618 ++++ b/net/openvswitch/flow_netlink.c
7619 +@@ -2253,6 +2253,36 @@ static struct sw_flow_actions *nla_alloc_flow_actions(int size)
7620 + return sfa;
7621 + }
7622 +
7623 ++static void ovs_nla_free_nested_actions(const struct nlattr *actions, int len);
7624 ++
7625 ++static void ovs_nla_free_clone_action(const struct nlattr *action)
7626 ++{
7627 ++ const struct nlattr *a = nla_data(action);
7628 ++ int rem = nla_len(action);
7629 ++
7630 ++ switch (nla_type(a)) {
7631 ++ case OVS_CLONE_ATTR_EXEC:
7632 ++ /* The real list of actions follows this attribute. */
7633 ++ a = nla_next(a, &rem);
7634 ++ ovs_nla_free_nested_actions(a, rem);
7635 ++ break;
7636 ++ }
7637 ++}
7638 ++
7639 ++static void ovs_nla_free_sample_action(const struct nlattr *action)
7640 ++{
7641 ++ const struct nlattr *a = nla_data(action);
7642 ++ int rem = nla_len(action);
7643 ++
7644 ++ switch (nla_type(a)) {
7645 ++ case OVS_SAMPLE_ATTR_ARG:
7646 ++ /* The real list of actions follows this attribute. */
7647 ++ a = nla_next(a, &rem);
7648 ++ ovs_nla_free_nested_actions(a, rem);
7649 ++ break;
7650 ++ }
7651 ++}
7652 ++
7653 + static void ovs_nla_free_set_action(const struct nlattr *a)
7654 + {
7655 + const struct nlattr *ovs_key = nla_data(a);
7656 +@@ -2266,25 +2296,46 @@ static void ovs_nla_free_set_action(const struct nlattr *a)
7657 + }
7658 + }
7659 +
7660 +-void ovs_nla_free_flow_actions(struct sw_flow_actions *sf_acts)
7661 ++static void ovs_nla_free_nested_actions(const struct nlattr *actions, int len)
7662 + {
7663 + const struct nlattr *a;
7664 + int rem;
7665 +
7666 +- if (!sf_acts)
7667 ++ /* Whenever new actions are added, the need to update this
7668 ++ * function should be considered.
7669 ++ */
7670 ++ BUILD_BUG_ON(OVS_ACTION_ATTR_MAX != 20);
7671 ++
7672 ++ if (!actions)
7673 + return;
7674 +
7675 +- nla_for_each_attr(a, sf_acts->actions, sf_acts->actions_len, rem) {
7676 ++ nla_for_each_attr(a, actions, len, rem) {
7677 + switch (nla_type(a)) {
7678 +- case OVS_ACTION_ATTR_SET:
7679 +- ovs_nla_free_set_action(a);
7680 ++ case OVS_ACTION_ATTR_CLONE:
7681 ++ ovs_nla_free_clone_action(a);
7682 + break;
7683 ++
7684 + case OVS_ACTION_ATTR_CT:
7685 + ovs_ct_free_action(a);
7686 + break;
7687 ++
7688 ++ case OVS_ACTION_ATTR_SAMPLE:
7689 ++ ovs_nla_free_sample_action(a);
7690 ++ break;
7691 ++
7692 ++ case OVS_ACTION_ATTR_SET:
7693 ++ ovs_nla_free_set_action(a);
7694 ++ break;
7695 + }
7696 + }
7697 ++}
7698 ++
7699 ++void ovs_nla_free_flow_actions(struct sw_flow_actions *sf_acts)
7700 ++{
7701 ++ if (!sf_acts)
7702 ++ return;
7703 +
7704 ++ ovs_nla_free_nested_actions(sf_acts->actions, sf_acts->actions_len);
7705 + kfree(sf_acts);
7706 + }
7707 +
7708 +diff --git a/net/sunrpc/xprtrdma/rpc_rdma.c b/net/sunrpc/xprtrdma/rpc_rdma.c
7709 +index 3d65a2bccfc7b..7f9d8365c9320 100644
7710 +--- a/net/sunrpc/xprtrdma/rpc_rdma.c
7711 ++++ b/net/sunrpc/xprtrdma/rpc_rdma.c
7712 +@@ -72,7 +72,7 @@ static unsigned int rpcrdma_max_call_header_size(unsigned int maxsegs)
7713 +
7714 + /* Maximum Read list size */
7715 + maxsegs += 2; /* segment for head and tail buffers */
7716 +- size = maxsegs * rpcrdma_readchunk_maxsz * sizeof(__be32);
7717 ++ size += maxsegs * rpcrdma_readchunk_maxsz * sizeof(__be32);
7718 +
7719 + /* Minimal Read chunk size */
7720 + size += sizeof(__be32); /* segment count */
7721 +@@ -98,7 +98,7 @@ static unsigned int rpcrdma_max_reply_header_size(unsigned int maxsegs)
7722 +
7723 + /* Maximum Write list size */
7724 + maxsegs += 2; /* segment for head and tail buffers */
7725 +- size = sizeof(__be32); /* segment count */
7726 ++ size += sizeof(__be32); /* segment count */
7727 + size += maxsegs * rpcrdma_segment_maxsz * sizeof(__be32);
7728 + size += sizeof(__be32); /* list discriminator */
7729 +
7730 +diff --git a/scripts/faddr2line b/scripts/faddr2line
7731 +index 226c3f559dc5d..2571caac3156c 100755
7732 +--- a/scripts/faddr2line
7733 ++++ b/scripts/faddr2line
7734 +@@ -95,17 +95,25 @@ __faddr2line() {
7735 + local print_warnings=$4
7736 +
7737 + local sym_name=${func_addr%+*}
7738 +- local offset=${func_addr#*+}
7739 +- offset=${offset%/*}
7740 ++ local func_offset=${func_addr#*+}
7741 ++ func_offset=${func_offset%/*}
7742 + local user_size=
7743 ++ local file_type
7744 ++ local is_vmlinux=0
7745 + [[ $func_addr =~ "/" ]] && user_size=${func_addr#*/}
7746 +
7747 +- if [[ -z $sym_name ]] || [[ -z $offset ]] || [[ $sym_name = $func_addr ]]; then
7748 ++ if [[ -z $sym_name ]] || [[ -z $func_offset ]] || [[ $sym_name = $func_addr ]]; then
7749 + warn "bad func+offset $func_addr"
7750 + DONE=1
7751 + return
7752 + fi
7753 +
7754 ++ # vmlinux uses absolute addresses in the section table rather than
7755 ++ # section offsets.
7756 ++ local file_type=$(${READELF} --file-header $objfile |
7757 ++ ${AWK} '$1 == "Type:" { print $2; exit }')
7758 ++ [[ $file_type = "EXEC" ]] && is_vmlinux=1
7759 ++
7760 + # Go through each of the object's symbols which match the func name.
7761 + # In rare cases there might be duplicates, in which case we print all
7762 + # matches.
7763 +@@ -114,9 +122,11 @@ __faddr2line() {
7764 + local sym_addr=0x${fields[1]}
7765 + local sym_elf_size=${fields[2]}
7766 + local sym_sec=${fields[6]}
7767 ++ local sec_size
7768 ++ local sec_name
7769 +
7770 + # Get the section size:
7771 +- local sec_size=$(${READELF} --section-headers --wide $objfile |
7772 ++ sec_size=$(${READELF} --section-headers --wide $objfile |
7773 + sed 's/\[ /\[/' |
7774 + ${AWK} -v sec=$sym_sec '$1 == "[" sec "]" { print "0x" $6; exit }')
7775 +
7776 +@@ -126,6 +136,17 @@ __faddr2line() {
7777 + return
7778 + fi
7779 +
7780 ++ # Get the section name:
7781 ++ sec_name=$(${READELF} --section-headers --wide $objfile |
7782 ++ sed 's/\[ /\[/' |
7783 ++ ${AWK} -v sec=$sym_sec '$1 == "[" sec "]" { print $2; exit }')
7784 ++
7785 ++ if [[ -z $sec_name ]]; then
7786 ++ warn "bad section name: section: $sym_sec"
7787 ++ DONE=1
7788 ++ return
7789 ++ fi
7790 ++
7791 + # Calculate the symbol size.
7792 + #
7793 + # Unfortunately we can't use the ELF size, because kallsyms
7794 +@@ -174,10 +195,10 @@ __faddr2line() {
7795 +
7796 + sym_size=0x$(printf %x $sym_size)
7797 +
7798 +- # Calculate the section address from user-supplied offset:
7799 +- local addr=$(($sym_addr + $offset))
7800 ++ # Calculate the address from user-supplied offset:
7801 ++ local addr=$(($sym_addr + $func_offset))
7802 + if [[ -z $addr ]] || [[ $addr = 0 ]]; then
7803 +- warn "bad address: $sym_addr + $offset"
7804 ++ warn "bad address: $sym_addr + $func_offset"
7805 + DONE=1
7806 + return
7807 + fi
7808 +@@ -191,9 +212,9 @@ __faddr2line() {
7809 + fi
7810 +
7811 + # Make sure the provided offset is within the symbol's range:
7812 +- if [[ $offset -gt $sym_size ]]; then
7813 ++ if [[ $func_offset -gt $sym_size ]]; then
7814 + [[ $print_warnings = 1 ]] &&
7815 +- echo "skipping $sym_name address at $addr due to size mismatch ($offset > $sym_size)"
7816 ++ echo "skipping $sym_name address at $addr due to size mismatch ($func_offset > $sym_size)"
7817 + continue
7818 + fi
7819 +
7820 +@@ -202,11 +223,13 @@ __faddr2line() {
7821 + [[ $FIRST = 0 ]] && echo
7822 + FIRST=0
7823 +
7824 +- echo "$sym_name+$offset/$sym_size:"
7825 ++ echo "$sym_name+$func_offset/$sym_size:"
7826 +
7827 + # Pass section address to addr2line and strip absolute paths
7828 + # from the output:
7829 +- local output=$(${ADDR2LINE} -fpie $objfile $addr | sed "s; $dir_prefix\(\./\)*; ;")
7830 ++ local args="--functions --pretty-print --inlines --exe=$objfile"
7831 ++ [[ $is_vmlinux = 0 ]] && args="$args --section=$sec_name"
7832 ++ local output=$(${ADDR2LINE} $args $addr | sed "s; $dir_prefix\(\./\)*; ;")
7833 + [[ -z $output ]] && continue
7834 +
7835 + # Default output (non --list):
7836 +diff --git a/sound/soc/codecs/cs42l52.c b/sound/soc/codecs/cs42l52.c
7837 +index 3d83c1be12922..de311299432b6 100644
7838 +--- a/sound/soc/codecs/cs42l52.c
7839 ++++ b/sound/soc/codecs/cs42l52.c
7840 +@@ -141,7 +141,9 @@ static DECLARE_TLV_DB_SCALE(mic_tlv, 1600, 100, 0);
7841 +
7842 + static DECLARE_TLV_DB_SCALE(pga_tlv, -600, 50, 0);
7843 +
7844 +-static DECLARE_TLV_DB_SCALE(mix_tlv, -50, 50, 0);
7845 ++static DECLARE_TLV_DB_SCALE(pass_tlv, -6000, 50, 0);
7846 ++
7847 ++static DECLARE_TLV_DB_SCALE(mix_tlv, -5150, 50, 0);
7848 +
7849 + static DECLARE_TLV_DB_SCALE(beep_tlv, -56, 200, 0);
7850 +
7851 +@@ -355,7 +357,7 @@ static const struct snd_kcontrol_new cs42l52_snd_controls[] = {
7852 + CS42L52_SPKB_VOL, 0, 0x40, 0xC0, hl_tlv),
7853 +
7854 + SOC_DOUBLE_R_SX_TLV("Bypass Volume", CS42L52_PASSTHRUA_VOL,
7855 +- CS42L52_PASSTHRUB_VOL, 0, 0x88, 0x90, pga_tlv),
7856 ++ CS42L52_PASSTHRUB_VOL, 0, 0x88, 0x90, pass_tlv),
7857 +
7858 + SOC_DOUBLE("Bypass Mute", CS42L52_MISC_CTL, 4, 5, 1, 0),
7859 +
7860 +@@ -368,7 +370,7 @@ static const struct snd_kcontrol_new cs42l52_snd_controls[] = {
7861 + CS42L52_ADCB_VOL, 0, 0xA0, 0x78, ipd_tlv),
7862 + SOC_DOUBLE_R_SX_TLV("ADC Mixer Volume",
7863 + CS42L52_ADCA_MIXER_VOL, CS42L52_ADCB_MIXER_VOL,
7864 +- 0, 0x19, 0x7F, ipd_tlv),
7865 ++ 0, 0x19, 0x7F, mix_tlv),
7866 +
7867 + SOC_DOUBLE("ADC Switch", CS42L52_ADC_MISC_CTL, 0, 1, 1, 0),
7868 +
7869 +diff --git a/sound/soc/codecs/cs42l56.c b/sound/soc/codecs/cs42l56.c
7870 +index 04f89b751304c..deaad703a7dbf 100644
7871 +--- a/sound/soc/codecs/cs42l56.c
7872 ++++ b/sound/soc/codecs/cs42l56.c
7873 +@@ -403,9 +403,9 @@ static const struct snd_kcontrol_new cs42l56_snd_controls[] = {
7874 + SOC_DOUBLE("ADC Boost Switch", CS42L56_GAIN_BIAS_CTL, 3, 2, 1, 1),
7875 +
7876 + SOC_DOUBLE_R_SX_TLV("Headphone Volume", CS42L56_HPA_VOLUME,
7877 +- CS42L56_HPB_VOLUME, 0, 0x84, 0x48, hl_tlv),
7878 ++ CS42L56_HPB_VOLUME, 0, 0x44, 0x48, hl_tlv),
7879 + SOC_DOUBLE_R_SX_TLV("LineOut Volume", CS42L56_LOA_VOLUME,
7880 +- CS42L56_LOB_VOLUME, 0, 0x84, 0x48, hl_tlv),
7881 ++ CS42L56_LOB_VOLUME, 0, 0x44, 0x48, hl_tlv),
7882 +
7883 + SOC_SINGLE_TLV("Bass Shelving Volume", CS42L56_TONE_CTL,
7884 + 0, 0x00, 1, tone_tlv),
7885 +diff --git a/sound/soc/codecs/cs53l30.c b/sound/soc/codecs/cs53l30.c
7886 +index 8995ea45b4ca8..86e93904b001c 100644
7887 +--- a/sound/soc/codecs/cs53l30.c
7888 ++++ b/sound/soc/codecs/cs53l30.c
7889 +@@ -351,22 +351,22 @@ static const struct snd_kcontrol_new cs53l30_snd_controls[] = {
7890 + SOC_ENUM("ADC2 NG Delay", adc2_ng_delay_enum),
7891 +
7892 + SOC_SINGLE_SX_TLV("ADC1A PGA Volume",
7893 +- CS53L30_ADC1A_AFE_CTL, 0, 0x34, 0x18, pga_tlv),
7894 ++ CS53L30_ADC1A_AFE_CTL, 0, 0x34, 0x24, pga_tlv),
7895 + SOC_SINGLE_SX_TLV("ADC1B PGA Volume",
7896 +- CS53L30_ADC1B_AFE_CTL, 0, 0x34, 0x18, pga_tlv),
7897 ++ CS53L30_ADC1B_AFE_CTL, 0, 0x34, 0x24, pga_tlv),
7898 + SOC_SINGLE_SX_TLV("ADC2A PGA Volume",
7899 +- CS53L30_ADC2A_AFE_CTL, 0, 0x34, 0x18, pga_tlv),
7900 ++ CS53L30_ADC2A_AFE_CTL, 0, 0x34, 0x24, pga_tlv),
7901 + SOC_SINGLE_SX_TLV("ADC2B PGA Volume",
7902 +- CS53L30_ADC2B_AFE_CTL, 0, 0x34, 0x18, pga_tlv),
7903 ++ CS53L30_ADC2B_AFE_CTL, 0, 0x34, 0x24, pga_tlv),
7904 +
7905 + SOC_SINGLE_SX_TLV("ADC1A Digital Volume",
7906 +- CS53L30_ADC1A_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv),
7907 ++ CS53L30_ADC1A_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv),
7908 + SOC_SINGLE_SX_TLV("ADC1B Digital Volume",
7909 +- CS53L30_ADC1B_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv),
7910 ++ CS53L30_ADC1B_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv),
7911 + SOC_SINGLE_SX_TLV("ADC2A Digital Volume",
7912 +- CS53L30_ADC2A_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv),
7913 ++ CS53L30_ADC2A_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv),
7914 + SOC_SINGLE_SX_TLV("ADC2B Digital Volume",
7915 +- CS53L30_ADC2B_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv),
7916 ++ CS53L30_ADC2B_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv),
7917 + };
7918 +
7919 + static const struct snd_soc_dapm_widget cs53l30_dapm_widgets[] = {
7920 +diff --git a/sound/soc/codecs/es8328.c b/sound/soc/codecs/es8328.c
7921 +index 3afa163f7652d..dcb01889e177b 100644
7922 +--- a/sound/soc/codecs/es8328.c
7923 ++++ b/sound/soc/codecs/es8328.c
7924 +@@ -165,13 +165,16 @@ static int es8328_put_deemph(struct snd_kcontrol *kcontrol,
7925 + if (deemph > 1)
7926 + return -EINVAL;
7927 +
7928 ++ if (es8328->deemph == deemph)
7929 ++ return 0;
7930 ++
7931 + ret = es8328_set_deemph(component);
7932 + if (ret < 0)
7933 + return ret;
7934 +
7935 + es8328->deemph = deemph;
7936 +
7937 +- return 0;
7938 ++ return 1;
7939 + }
7940 +
7941 +
7942 +diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c
7943 +index dde015fd70a41..3f75cb3209ffa 100644
7944 +--- a/sound/soc/codecs/wm8962.c
7945 ++++ b/sound/soc/codecs/wm8962.c
7946 +@@ -3861,6 +3861,7 @@ static int wm8962_runtime_suspend(struct device *dev)
7947 + #endif
7948 +
7949 + static const struct dev_pm_ops wm8962_pm = {
7950 ++ SET_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, pm_runtime_force_resume)
7951 + SET_RUNTIME_PM_OPS(wm8962_runtime_suspend, wm8962_runtime_resume, NULL)
7952 + };
7953 +
7954 +diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c
7955 +index 02c557e1f779c..c5b0b56d9c94e 100644
7956 +--- a/sound/soc/codecs/wm_adsp.c
7957 ++++ b/sound/soc/codecs/wm_adsp.c
7958 +@@ -697,7 +697,7 @@ int wm_adsp_fw_put(struct snd_kcontrol *kcontrol,
7959 + struct snd_soc_component *component = snd_soc_kcontrol_component(kcontrol);
7960 + struct soc_enum *e = (struct soc_enum *)kcontrol->private_value;
7961 + struct wm_adsp *dsp = snd_soc_component_get_drvdata(component);
7962 +- int ret = 0;
7963 ++ int ret = 1;
7964 +
7965 + if (ucontrol->value.enumerated.item[0] == dsp[e->shift_l].fw)
7966 + return 0;
Report Message
Find on MARC Find on Google Groups