This is a note to let you know that I've just added the patch titled random: absorb fast pool into input pool after fast load to the 5.17-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: random-absorb-fast-pool-into-input-pool-after-fast-load.patch and it can be found in the queue-5.17 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Thu May 26 04:19:10 PM CEST 2022 From: "Jason A. Donenfeld" <Jason@xxxxxxxxx> Date: Wed, 9 Feb 2022 01:56:35 +0100 Subject: random: absorb fast pool into input pool after fast load From: "Jason A. Donenfeld" <Jason@xxxxxxxxx> commit c30c575db4858f0bbe5e315ff2e529c782f33a1f upstream. During crng_init == 0, we never credit entropy in add_interrupt_ randomness(), but instead dump it directly into the primary_crng. That's fine, except for the fact that we then wind up throwing away that entropy later when we switch to extracting from the input pool and xoring into (and later in this series overwriting) the primary_crng key. The two other early init sites -- add_hwgenerator_randomness()'s use crng_fast_load() and add_device_ randomness()'s use of crng_slow_load() -- always additionally give their inputs to the input pool. But not add_interrupt_randomness(). This commit fixes that shortcoming by calling mix_pool_bytes() after crng_fast_load() in add_interrupt_randomness(). That's partially verboten on PREEMPT_RT, where it implies taking spinlock_t from an IRQ handler. But this also only happens during early boot and then never again after that. Plus it's a trylock so it has the same considerations as calling crng_fast_load(), which we're already using. Cc: Theodore Ts'o <tytso@xxxxxxx> Reviewed-by: Dominik Brodowski <linux@xxxxxxxxxxxxxxxxxxxx> Reviewed-by: Eric Biggers <ebiggers@xxxxxxxxxx> Suggested-by: Eric Biggers <ebiggers@xxxxxxxxxx> Signed-off-by: Jason A. Donenfeld <Jason@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/char/random.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -850,6 +850,10 @@ void add_interrupt_randomness(int irq) crng_fast_load((u8 *)fast_pool->pool, sizeof(fast_pool->pool)) > 0) { fast_pool->count = 0; fast_pool->last = now; + if (spin_trylock(&input_pool.lock)) { + _mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool)); + spin_unlock(&input_pool.lock); + } } return; } Patches currently in stable-queue which might be from Jason@xxxxxxxxx are queue-5.17/random-remove-ratelimiting-for-in-kernel-unseeded-randomness.patch queue-5.17/random-introduce-drain_entropy-helper-to-declutter-crng_reseed.patch queue-5.17/random-fix-sysctl-documentation-nits.patch queue-5.17/random-help-compiler-out-with-fast_mix-by-using-simpler-arguments.patch queue-5.17/random-use-simpler-fast-key-erasure-flow-on-per-cpu-keys.patch queue-5.17/siphash-use-one-source-of-truth-for-siphash-permutations.patch queue-5.17/um-use-fallback-for-random_get_entropy-instead-of-zero.patch queue-5.17/random-get-rid-of-secondary-crngs.patch queue-5.17/random-check-for-crng_init-0-in-add_device_randomness.patch queue-5.17/random-order-timer-entropy-functions-below-interrupt-functions.patch queue-5.17/random-unify-batched-entropy-implementations.patch queue-5.17/random-remove-unused-tracepoints.patch queue-5.17/random-add-proper-spdx-header.patch queue-5.17/random-group-entropy-collection-functions.patch queue-5.17/random-don-t-let-644-read-only-sysctls-be-written-to.patch queue-5.17/random-make-consistent-use-of-buf-and-len.patch queue-5.17/random-make-consistent-usage-of-crng_ready.patch queue-5.17/random-make-random_get_entropy-return-an-unsigned-long.patch queue-5.17/random-move-randomize_page-into-mm-where-it-belongs.patch queue-5.17/random-use-first-128-bits-of-input-as-fast-init.patch queue-5.17/random-use-computational-hash-for-entropy-extraction.patch queue-5.17/random-unify-cycles_t-and-jiffies-usage-and-types.patch queue-5.17/random-rewrite-header-introductory-comment.patch queue-5.17/random-use-proper-return-types-on-get_random_-int-long-_wait.patch queue-5.17/random-check-for-signal-and-try-earlier-when-generating-entropy.patch queue-5.17/s390-define-get_cycles-macro-for-arch-override.patch queue-5.17/random-ensure-early-rdseed-goes-through-mixer-on-init.patch queue-5.17/random-cleanup-uuid-handling.patch queue-5.17/random-mix-build-time-latent-entropy-into-pool-at-init.patch queue-5.17/random-reseed-more-often-immediately-after-booting.patch queue-5.17/random-remove-ifdef-d-out-interrupt-bench.patch queue-5.17/timekeeping-add-raw-clock-fallback-for-random_get_entropy.patch queue-5.17/random-allow-partial-reads-if-later-user-copies-fail.patch queue-5.17/random.patch queue-5.17/random-use-static-branch-for-crng_ready.patch queue-5.17/arm-use-fallback-for-random_get_entropy-instead-of-zero.patch queue-5.17/random-tie-batched-entropy-generation-to-base_crng-generation.patch queue-5.17/random-round-robin-registers-as-ulong-not-u32.patch queue-5.17/mips-use-fallback-for-random_get_entropy-instead-of-just-c0-random.patch queue-5.17/random-do-not-take-pool-spinlock-at-boot.patch queue-5.17/random-absorb-fast-pool-into-input-pool-after-fast-load.patch queue-5.17/random-remove-useless-header-comment.patch queue-5.17/random-do-not-allow-user-to-keep-crng-key-around-on-stack.patch queue-5.17/random-avoid-initializing-twice-in-credit-race.patch queue-5.17/random-move-initialization-functions-out-of-hot-pages.patch queue-5.17/random-do-not-pretend-to-handle-premature-next-security-model.patch queue-5.17/random-remove-batched-entropy-locking.patch queue-5.17/random-do-not-use-batches-when-crng_ready.patch queue-5.17/random-deobfuscate-irq-u32-u64-contributions.patch queue-5.17/random-group-crng-functions.patch queue-5.17/random-defer-fast-pool-mixing-to-worker.patch queue-5.17/random-group-initialization-wait-functions.patch queue-5.17/random-treat-bootloader-trust-toggle-the-same-way-as-cpu-trust-toggle.patch queue-5.17/random-do-crng-pre-init-loading-in-worker-rather-than-irq.patch queue-5.17/random-give-sysctl_random_min_urandom_seed-a-more-sensible-value.patch queue-5.17/random-re-add-removed-comment-about-get_random_-u32-u64-reseeding.patch queue-5.17/m68k-use-fallback-for-random_get_entropy-instead-of-zero.patch queue-5.17/random-clear-fast-pool-crng-and-batches-in-cpuhp-bring-up.patch queue-5.17/random-move-initialization-out-of-reseeding-hot-path.patch queue-5.17/x86-tsc-use-fallback-for-random_get_entropy-instead-of-zero.patch queue-5.17/random-use-rdseed-instead-of-rdrand-in-entropy-extraction.patch queue-5.17/random-remove-use_input_pool-parameter-from-crng_reseed.patch queue-5.17/random-use-siphash-as-interrupt-entropy-accumulator.patch queue-5.17/random-skip-fast_init-if-hwrng-provides-large-chunk-of-entropy.patch queue-5.17/random-fix-locking-for-crng_init-in-crng_reseed.patch queue-5.17/random-group-entropy-extraction-functions.patch queue-5.17/random-group-userspace-read-write-functions.patch queue-5.17/random-credit-architectural-init-the-exact-amount.patch queue-5.17/random-remove-outdated-int_max-6-check-in-urandom_read.patch queue-5.17/random-use-hash-function-for-crng_slow_load.patch queue-5.17/random-inline-leaves-of-rand_initialize.patch queue-5.17/random-check-for-signals-after-page-of-pool-writes.patch queue-5.17/random-simplify-entropy-debiting.patch queue-5.17/random-remove-extern-from-functions-in-header.patch queue-5.17/random-check-for-signal_pending-outside-of-need_resched-check.patch queue-5.17/random-do-not-use-input-pool-from-hard-irqs.patch queue-5.17/random-wire-up-fops-splice_-read-write-_iter.patch queue-5.17/random-fix-locking-in-crng_fast_load.patch queue-5.17/random-make-more-consistent-use-of-integer-types.patch queue-5.17/random-insist-on-random_get_entropy-existing-in-order-to-simplify.patch queue-5.17/powerpc-define-get_cycles-macro-for-arch-override.patch queue-5.17/parisc-define-get_cycles-macro-for-arch-override.patch queue-5.17/sparc-use-fallback-for-random_get_entropy-instead-of-zero.patch queue-5.17/random-group-sysctl-functions.patch queue-5.17/nios2-use-fallback-for-random_get_entropy-instead-of-zero.patch queue-5.17/init-call-time_init-before-rand_initialize.patch queue-5.17/riscv-use-fallback-for-random_get_entropy-instead-of-zero.patch queue-5.17/random-replace-custom-notifier-chain-with-standard-one.patch queue-5.17/random-always-wake-up-entropy-writers-after-extraction.patch queue-5.17/random-pull-add_hwgenerator_randomness-declaration-into-random.h.patch queue-5.17/ia64-define-get_cycles-macro-for-arch-override.patch queue-5.17/random-handle-latent-entropy-and-command-line-from-random_init.patch queue-5.17/random-make-credit_entropy_bits-always-safe.patch queue-5.17/random-use-proper-jiffies-comparison-macro.patch queue-5.17/random-zero-buffer-after-reading-entropy-from-userspace.patch queue-5.17/random-do-not-xor-rdrand-when-writing-into-dev-random.patch queue-5.17/random-use-linear-min-entropy-accumulation-crediting.patch queue-5.17/random-unify-early-init-crng-load-accounting.patch queue-5.17/alpha-define-get_cycles-macro-for-arch-override.patch queue-5.17/random-convert-to-using-fops-read_iter.patch queue-5.17/xtensa-use-fallback-for-random_get_entropy-instead-of-zero.patch queue-5.17/random-use-symbolic-constants-for-crng_init-states.patch queue-5.17/random-convert-to-using-fops-write_iter.patch queue-5.17/random-only-wake-up-writers-after-zap-if-threshold-was-passed.patch queue-5.17/random-document-crng_fast_key_erasure-destination-possibility.patch queue-5.17/random-remove-whitespace-and-reorder-includes.patch queue-5.17/random-do-not-split-fast-init-input-in-add_hwgenerator_randomness.patch