1. 03 8月, 2018 1 次提交
    • J
      random: Make crng state queryable · 9a47249d
      Jason A. Donenfeld 提交于
      It is very useful to be able to know whether or not get_random_bytes_wait
      / wait_for_random_bytes is going to block or not, or whether plain
      get_random_bytes is going to return good randomness or bad randomness.
      
      The particular use case is for mitigating certain attacks in WireGuard.
      A handshake packet arrives and is queued up. Elsewhere a worker thread
      takes items from the queue and processes them. In replying to these
      items, it needs to use some random data, and it has to be good random
      data. If we simply block until we can have good randomness, then it's
      possible for an attacker to fill the queue up with packets waiting to be
      processed. Upon realizing the queue is full, WireGuard will detect that
      it's under a denial of service attack, and behave accordingly. A better
      approach is just to drop incoming handshake packets if the crng is not
      yet initialized.
      
      This patch, therefore, makes that information directly accessible.
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      9a47249d
  2. 25 7月, 2018 2 次提交
    • I
      random: remove preempt disabled region · b34fbaa9
      Ingo Molnar 提交于
      No need to keep preemption disabled across the whole function.
      
      mix_pool_bytes() uses a spin_lock() to protect the pool and there are
      other places like write_pool() whhich invoke mix_pool_bytes() without
      disabling preemption.
      credit_entropy_bits() is invoked from other places like
      add_hwgenerator_randomness() without disabling preemption.
      
      Before commit 95b709b6 ("random: drop trickle mode") the function
      used __this_cpu_inc_return() which would require disabled preemption.
      The preempt_disable() section was added in commit 43d5d3018c37 ("[PATCH]
      random driver preempt robustness", history tree).  It was claimed that
      the code relied on "vt_ioctl() being called under BKL".
      
      Cc: "Theodore Ts'o" <tytso@mit.edu>
      Signed-off-by: NIngo Molnar <mingo@elte.hu>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      [bigeasy: enhance the commit message]
      Signed-off-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      b34fbaa9
    • T
      random: add a config option to trust the CPU's hwrng · 39a8883a
      Theodore Ts'o 提交于
      This gives the user building their own kernel (or a Linux
      distribution) the option of deciding whether or not to trust the CPU's
      hardware random number generator (e.g., RDRAND for x86 CPU's) as being
      correctly implemented and not having a back door introduced (perhaps
      courtesy of a Nation State's law enforcement or intelligence
      agencies).
      
      This will prevent getrandom(2) from blocking, if there is a
      willingness to trust the CPU manufacturer.
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      39a8883a
  3. 18 7月, 2018 3 次提交
    • T
      random: Return nbytes filled from hw RNG · 753d433b
      Tobin C. Harding 提交于
      Currently the function get_random_bytes_arch() has return value 'void'.
      If the hw RNG fails we currently fall back to using get_random_bytes().
      This defeats the purpose of requesting random material from the hw RNG
      in the first place.
      
      There are currently no intree users of get_random_bytes_arch().
      
      Only get random bytes from the hw RNG, make function return the number
      of bytes retrieved from the hw RNG.
      Acked-by: NTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      753d433b
    • T
      random: Fix whitespace pre random-bytes work · 8ddd6efa
      Tobin C. Harding 提交于
      There are a couple of whitespace issues around the function
      get_random_bytes_arch().  In preparation for patching this function
      let's clean them up.
      Acked-by: NTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      8ddd6efa
    • T
      random: mix rdrand with entropy sent in from userspace · 81e69df3
      Theodore Ts'o 提交于
      Fedora has integrated the jitter entropy daemon to work around slow
      boot problems, especially on VM's that don't support virtio-rng:
      
          https://bugzilla.redhat.com/show_bug.cgi?id=1572944
      
      It's understandable why they did this, but the Jitter entropy daemon
      works fundamentally on the principle: "the CPU microarchitecture is
      **so** complicated and we can't figure it out, so it *must* be
      random".  Yes, it uses statistical tests to "prove" it is secure, but
      AES_ENCRYPT(NSA_KEY, COUNTER++) will also pass statistical tests with
      flying colors.
      
      So if RDRAND is available, mix it into entropy submitted from
      userspace.  It can't hurt, and if you believe the NSA has backdoored
      RDRAND, then they probably have enough details about the Intel
      microarchitecture that they can reverse engineer how the Jitter
      entropy daemon affects the microarchitecture, and attack its output
      stream.  And if RDRAND is in fact an honest DRNG, it will immeasurably
      improve on what the Jitter entropy daemon might produce.
      
      This also provides some protection against someone who is able to read
      or set the entropy seed file.
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Cc: Arnd Bergmann <arnd@arndb.de>
      81e69df3
  4. 29 6月, 2018 1 次提交
    • L
      Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL · a11e1d43
      Linus Torvalds 提交于
      The poll() changes were not well thought out, and completely
      unexplained.  They also caused a huge performance regression, because
      "->poll()" was no longer a trivial file operation that just called down
      to the underlying file operations, but instead did at least two indirect
      calls.
      
      Indirect calls are sadly slow now with the Spectre mitigation, but the
      performance problem could at least be largely mitigated by changing the
      "->get_poll_head()" operation to just have a per-file-descriptor pointer
      to the poll head instead.  That gets rid of one of the new indirections.
      
      But that doesn't fix the new complexity that is completely unwarranted
      for the regular case.  The (undocumented) reason for the poll() changes
      was some alleged AIO poll race fixing, but we don't make the common case
      slower and more complex for some uncommon special case, so this all
      really needs way more explanations and most likely a fundamental
      redesign.
      
      [ This revert is a revert of about 30 different commits, not reverted
        individually because that would just be unnecessarily messy  - Linus ]
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a11e1d43
  5. 26 5月, 2018 1 次提交
  6. 25 4月, 2018 2 次提交
  7. 14 4月, 2018 5 次提交
  8. 01 3月, 2018 3 次提交
  9. 12 2月, 2018 1 次提交
    • L
      vfs: do bulk POLL* -> EPOLL* replacement · a9a08845
      Linus Torvalds 提交于
      This is the mindless scripted replacement of kernel use of POLL*
      variables as described by Al, done by this script:
      
          for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
              L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
              for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
          done
      
      with de-mangling cleanups yet to come.
      
      NOTE! On almost all architectures, the EPOLL* constants have the same
      values as the POLL* constants do.  But they keyword here is "almost".
      For various bad reasons they aren't the same, and epoll() doesn't
      actually work quite correctly in some cases due to this on Sparc et al.
      
      The next patch from Al will sort out the final differences, and we
      should be all done.
      Scripted-by: NAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a9a08845
  10. 29 11月, 2017 2 次提交
  11. 16 11月, 2017 1 次提交
  12. 25 10月, 2017 1 次提交
    • M
      locking/atomics: COCCINELLE/treewide: Convert trivial ACCESS_ONCE() patterns... · 6aa7de05
      Mark Rutland 提交于
      locking/atomics: COCCINELLE/treewide: Convert trivial ACCESS_ONCE() patterns to READ_ONCE()/WRITE_ONCE()
      
      Please do not apply this to mainline directly, instead please re-run the
      coccinelle script shown below and apply its output.
      
      For several reasons, it is desirable to use {READ,WRITE}_ONCE() in
      preference to ACCESS_ONCE(), and new code is expected to use one of the
      former. So far, there's been no reason to change most existing uses of
      ACCESS_ONCE(), as these aren't harmful, and changing them results in
      churn.
      
      However, for some features, the read/write distinction is critical to
      correct operation. To distinguish these cases, separate read/write
      accessors must be used. This patch migrates (most) remaining
      ACCESS_ONCE() instances to {READ,WRITE}_ONCE(), using the following
      coccinelle script:
      
      ----
      // Convert trivial ACCESS_ONCE() uses to equivalent READ_ONCE() and
      // WRITE_ONCE()
      
      // $ make coccicheck COCCI=/home/mark/once.cocci SPFLAGS="--include-headers" MODE=patch
      
      virtual patch
      
      @ depends on patch @
      expression E1, E2;
      @@
      
      - ACCESS_ONCE(E1) = E2
      + WRITE_ONCE(E1, E2)
      
      @ depends on patch @
      expression E;
      @@
      
      - ACCESS_ONCE(E)
      + READ_ONCE(E)
      ----
      Signed-off-by: NMark Rutland <mark.rutland@arm.com>
      Signed-off-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: davem@davemloft.net
      Cc: linux-arch@vger.kernel.org
      Cc: mpe@ellerman.id.au
      Cc: shuah@kernel.org
      Cc: snitzer@redhat.com
      Cc: thor.thayer@linux.intel.com
      Cc: tj@kernel.org
      Cc: viro@zeniv.linux.org.uk
      Cc: will.deacon@arm.com
      Link: http://lkml.kernel.org/r/1508792849-3115-19-git-send-email-paulmck@linux.vnet.ibm.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      6aa7de05
  13. 09 8月, 2017 1 次提交
    • H
      random: fix warning message on ia64 and parisc · 51d96dc2
      Helge Deller 提交于
      Fix the warning message on the parisc and IA64 architectures to show the
      correct function name of the caller by using %pS instead of %pF. The
      message is printed with the value of _RET_IP_ which calls
      __builtin_return_address(0) and as such returns the IP address caller
      instead of pointer to a function descriptor of the caller.
      
      The effect of this patch is visible on the parisc and ia64 architectures
      only since those are the ones which use function descriptors while on
      all others %pS and %pF will behave the same.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Jason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: NHelge Deller <deller@gmx.de>
      Fixes: eecabf56 ("random: suppress spammy warnings about unseeded randomness")
      Fixes: d06bfd19 ("random: warn when kernel uses unseeded randomness")
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      51d96dc2
  14. 16 7月, 2017 2 次提交
    • S
      random: reorder READ_ONCE() in get_random_uXX · 72e5c740
      Sebastian Andrzej Siewior 提交于
      Avoid the READ_ONCE in commit 4a072c71 ("random: silence compiler
      warnings and fix race") if we can leave the function after
      arch_get_random_XXX().
      
      Cc: Jason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      72e5c740
    • T
      random: suppress spammy warnings about unseeded randomness · eecabf56
      Theodore Ts'o 提交于
      Unfortunately, on some models of some architectures getting a fully
      seeded CRNG is extremely difficult, and so this can result in dmesg
      getting spammed for a surprisingly long time.  This is really bad from
      a security perspective, and so architecture maintainers really need to
      do what they can to get the CRNG seeded sooner after the system is
      booted.  However, users can't do anything actionble to address this,
      and spamming the kernel messages log will only just annoy people.
      
      For developers who want to work on improving this situation,
      CONFIG_WARN_UNSEEDED_RANDOM has been renamed to
      CONFIG_WARN_ALL_UNSEEDED_RANDOM.  By default the kernel will always
      print the first use of unseeded randomness.  This way, hopefully the
      security obsessed will be happy that there is _some_ indication when
      the kernel boots there may be a potential issue with that architecture
      or subarchitecture.  To see all uses of unseeded randomness,
      developers can enable CONFIG_WARN_ALL_UNSEEDED_RANDOM.
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      eecabf56
  15. 13 7月, 2017 1 次提交
    • K
      random: do not ignore early device randomness · ee7998c5
      Kees Cook 提交于
      The add_device_randomness() function would ignore incoming bytes if the
      crng wasn't ready.  This additionally makes sure to make an early enough
      call to add_latent_entropy() to influence the initial stack canary,
      which is especially important on non-x86 systems where it stays the same
      through the life of the boot.
      
      Link: http://lkml.kernel.org/r/20170626233038.GA48751@beastSigned-off-by: NKees Cook <keescook@chromium.org>
      Cc: "Theodore Ts'o" <tytso@mit.edu>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Jessica Yu <jeyu@redhat.com>
      Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
      Cc: Viresh Kumar <viresh.kumar@linaro.org>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Prarit Bhargava <prarit@redhat.com>
      Cc: Lokesh Vutla <lokeshvutla@ti.com>
      Cc: Nicholas Piggin <npiggin@gmail.com>
      Cc: AKASHI Takahiro <takahiro.akashi@linaro.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ee7998c5
  16. 20 6月, 2017 3 次提交
    • J
      random: warn when kernel uses unseeded randomness · d06bfd19
      Jason A. Donenfeld 提交于
      This enables an important dmesg notification about when drivers have
      used the crng without it being seeded first. Prior, these errors would
      occur silently, and so there hasn't been a great way of diagnosing these
      types of bugs for obscure setups. By adding this as a config option, we
      can leave it on by default, so that we learn where these issues happen,
      in the field, will still allowing some people to turn it off, if they
      really know what they're doing and do not want the log entries.
      
      However, we don't leave it _completely_ by default. An earlier version
      of this patch simply had `default y`. I'd really love that, but it turns
      out, this problem with unseeded randomness being used is really quite
      present and is going to take a long time to fix. Thus, as a compromise
      between log-messages-for-all and nobody-knows, this is `default y`,
      except it is also `depends on DEBUG_KERNEL`. This will ensure that the
      curious see the messages while others don't have to.
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      d06bfd19
    • J
      random: add wait_for_random_bytes() API · e297a783
      Jason A. Donenfeld 提交于
      This enables users of get_random_{bytes,u32,u64,int,long} to wait until
      the pool is ready before using this function, in case they actually want
      to have reliable randomness.
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      e297a783
    • J
      random: silence compiler warnings and fix race · 4a072c71
      Jason A. Donenfeld 提交于
      Odd versions of gcc for the sh4 architecture will actually warn about
      flags being used while uninitialized, so we set them to zero. Non crazy
      gccs will optimize that out again, so it doesn't make a difference.
      
      Next, over aggressive gccs could inline the expression that defines
      use_lock, which could then introduce a race resulting in a lock
      imbalance. By using READ_ONCE, we prevent that fate. Finally, we make
      that assignment const, so that gcc can still optimize a nice amount.
      
      Finally, we fix a potential deadlock between primary_crng.lock and
      batched_entropy_reset_lock, where they could be called in opposite
      order. Moving the call to invalidate_batched_entropy to outside the lock
      rectifies this issue.
      
      Fixes: b169c13dSigned-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      4a072c71
  17. 08 6月, 2017 2 次提交
    • J
      random: invalidate batched entropy after crng init · b169c13d
      Jason A. Donenfeld 提交于
      It's possible that get_random_{u32,u64} is used before the crng has
      initialized, in which case, its output might not be cryptographically
      secure. For this problem, directly, this patch set is introducing the
      *_wait variety of functions, but even with that, there's a subtle issue:
      what happens to our batched entropy that was generated before
      initialization. Prior to this commit, it'd stick around, supplying bad
      numbers. After this commit, we force the entropy to be re-extracted
      after each phase of the crng has initialized.
      
      In order to avoid a race condition with the position counter, we
      introduce a simple rwlock for this invalidation. Since it's only during
      this awkward transition period, after things are all set up, we stop
      using it, so that it doesn't have an impact on performance.
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org  # v4.11+
      b169c13d
    • T
      random: use lockless method of accessing and updating f->reg_idx · 92e75428
      Theodore Ts'o 提交于
      Linus pointed out that there is a much more efficient way of avoiding
      the problem that we were trying to address in commit 9dfa7bba:
      "fix race in drivers/char/random.c:get_reg()".
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      92e75428
  18. 25 5月, 2017 1 次提交
    • M
      fix race in drivers/char/random.c:get_reg() · 9dfa7bba
      Michael Schmitz 提交于
      get_reg() can be reentered on architectures with prioritized interrupts
      (m68k in this case), causing f->reg_index to be incremented after the
      range check. Out of bounds memory access past the pt_regs struct results.
      This will go mostly undetected unless access is beyond end of memory.
      
      Prevent the race by disabling interrupts in get_reg().
      
      Tested on m68k (Atari Falcon, and ARAnyM emulator).
      
      Kudos to Geert Uytterhoeven for helping to trace this race.
      Signed-off-by: NMichael Schmitz <schmitzmic@gmail.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      9dfa7bba
  19. 07 2月, 2017 1 次提交
  20. 28 1月, 2017 2 次提交
    • J
      random: convert get_random_int/long into get_random_u32/u64 · c440408c
      Jason A. Donenfeld 提交于
      Many times, when a user wants a random number, he wants a random number
      of a guaranteed size. So, thinking of get_random_int and get_random_long
      in terms of get_random_u32 and get_random_u64 makes it much easier to
      achieve this. It also makes the code simpler.
      
      On 32-bit platforms, get_random_int and get_random_long are both aliased
      to get_random_u32. On 64-bit platforms, int->u32 and long->u64.
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      c440408c
    • J
      random: use chacha20 for get_random_int/long · f5b98461
      Jason A. Donenfeld 提交于
      Now that our crng uses chacha20, we can rely on its speedy
      characteristics for replacing MD5, while simultaneously achieving a
      higher security guarantee. Before the idea was to use these functions if
      you wanted random integers that aren't stupidly insecure but aren't
      necessarily secure either, a vague gray zone, that hopefully was "good
      enough" for its users. With chacha20, we can strengthen this claim,
      since either we're using an rdrand-like instruction, or we're using the
      same crng as /dev/urandom. And it's faster than what was before.
      
      We could have chosen to replace this with a SipHash-derived function,
      which might be slightly faster, but at the cost of having yet another
      RNG construction in the kernel. By moving to chacha20, we have a single
      RNG to analyze and verify, and we also already get good performance
      improvements on all platforms.
      
      Implementation-wise, rather than use a generic buffer for both
      get_random_int/long and memcpy based on the size needs, we use a
      specific buffer for 32-bit reads and for 64-bit reads. This way, we're
      guaranteed to always have aligned accesses on all platforms. While
      slightly more verbose in C, the assembly this generates is a lot
      simpler than otherwise.
      
      Finally, on 32-bit platforms where longs and ints are the same size,
      we simply alias get_random_int to get_random_long.
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Suggested-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      f5b98461
  21. 19 1月, 2017 4 次提交