kernel-6.6.0-0.rc7.20231024gitd88520ad73b7.55

* Tue Oct 24 2023 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.6.0-0.rc7.d88520ad73b7.55]
- redhat: remove pending-rhel CONFIG_XFS_ASSERT_FATAL file (Patrick Talbert)
- New configs in fs/xfs (Fedora Kernel Team)
- crypto: rng - Override drivers/char/random in FIPS mode (Herbert Xu)
- random: Add hook to override device reads and getrandom(2) (Herbert Xu)
- Linux v6.6.0-0.rc7.d88520ad73b7
Resolves:

Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 99
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 54
+RHEL_RELEASE = 55
 
 #
 # RHEL_REBASE_NUM

Patchlist.changelog

@@ -1,3 +1,9 @@
+"https://gitlab.com/cki-project/kernel-ark/-/commit"/1820b71069f04d9347e71caeb9fe49e095dd28ec
+ 1820b71069f04d9347e71caeb9fe49e095dd28ec crypto: rng - Override drivers/char/random in FIPS mode
+
+"https://gitlab.com/cki-project/kernel-ark/-/commit"/325cfb22f086df02e268cfbfa6ff96d89d0acd5d
+ 325cfb22f086df02e268cfbfa6ff96d89d0acd5d random: Add hook to override device reads and getrandom(2)
+
 "https://gitlab.com/cki-project/kernel-ark/-/commit"/8374deeb36ca291927f714ba4b78349fb3a6e3b1
  8374deeb36ca291927f714ba4b78349fb3a6e3b1 [redhat] kernel/rh_messages.c: move hardware tables to rh_messages.h
 

kernel-aarch64-64k-debug-rhel.config

@@ -7855,7 +7855,6 @@ CONFIG_XFRM_SUB_POLICY=y
 # CONFIG_XFRM_USER_COMPAT is not set
 CONFIG_XFRM_USER=y
 CONFIG_XFRM=y
-CONFIG_XFS_ASSERT_FATAL=y
 # CONFIG_XFS_DEBUG is not set
 CONFIG_XFS_FS=m
 # CONFIG_XFS_ONLINE_REPAIR is not set

kernel-aarch64-64k-rhel.config

@@ -7830,7 +7830,6 @@ CONFIG_XFRM_SUB_POLICY=y
 # CONFIG_XFRM_USER_COMPAT is not set
 CONFIG_XFRM_USER=y
 CONFIG_XFRM=y
-CONFIG_XFS_ASSERT_FATAL=y
 # CONFIG_XFS_DEBUG is not set
 CONFIG_XFS_FS=m
 # CONFIG_XFS_ONLINE_REPAIR is not set

kernel-aarch64-debug-rhel.config

@@ -7851,7 +7851,6 @@ CONFIG_XFRM_SUB_POLICY=y
 # CONFIG_XFRM_USER_COMPAT is not set
 CONFIG_XFRM_USER=y
 CONFIG_XFRM=y
-CONFIG_XFS_ASSERT_FATAL=y
 # CONFIG_XFS_DEBUG is not set
 CONFIG_XFS_FS=m
 # CONFIG_XFS_ONLINE_REPAIR is not set

kernel-aarch64-rhel.config

@@ -7826,7 +7826,6 @@ CONFIG_XFRM_SUB_POLICY=y
 # CONFIG_XFRM_USER_COMPAT is not set
 CONFIG_XFRM_USER=y
 CONFIG_XFRM=y
-CONFIG_XFS_ASSERT_FATAL=y
 # CONFIG_XFS_DEBUG is not set
 CONFIG_XFS_FS=m
 # CONFIG_XFS_ONLINE_REPAIR is not set

kernel-aarch64-rt-debug-rhel.config

@@ -7907,7 +7907,6 @@ CONFIG_XFRM_SUB_POLICY=y
 # CONFIG_XFRM_USER_COMPAT is not set
 CONFIG_XFRM_USER=y
 CONFIG_XFRM=y
-CONFIG_XFS_ASSERT_FATAL=y
 # CONFIG_XFS_DEBUG is not set
 CONFIG_XFS_FS=m
 # CONFIG_XFS_ONLINE_REPAIR is not set

kernel-aarch64-rt-rhel.config

@@ -7882,7 +7882,6 @@ CONFIG_XFRM_SUB_POLICY=y
 # CONFIG_XFRM_USER_COMPAT is not set
 CONFIG_XFRM_USER=y
 CONFIG_XFRM=y
-CONFIG_XFS_ASSERT_FATAL=y
 # CONFIG_XFS_DEBUG is not set
 CONFIG_XFS_FS=m
 # CONFIG_XFS_ONLINE_REPAIR is not set

kernel-ppc64le-debug-rhel.config

@@ -7330,7 +7330,6 @@ CONFIG_XFRM_SUB_POLICY=y
 # CONFIG_XFRM_USER_COMPAT is not set
 CONFIG_XFRM_USER=y
 CONFIG_XFRM=y
-CONFIG_XFS_ASSERT_FATAL=y
 # CONFIG_XFS_DEBUG is not set
 CONFIG_XFS_FS=m
 # CONFIG_XFS_ONLINE_REPAIR is not set

kernel-ppc64le-rhel.config

@@ -7307,7 +7307,6 @@ CONFIG_XFRM_SUB_POLICY=y
 # CONFIG_XFRM_USER_COMPAT is not set
 CONFIG_XFRM_USER=y
 CONFIG_XFRM=y
-CONFIG_XFS_ASSERT_FATAL=y
 # CONFIG_XFS_DEBUG is not set
 CONFIG_XFS_FS=m
 # CONFIG_XFS_ONLINE_REPAIR is not set

kernel-s390x-debug-rhel.config

@@ -7315,7 +7315,6 @@ CONFIG_XFRM_SUB_POLICY=y
 # CONFIG_XFRM_USER_COMPAT is not set
 CONFIG_XFRM_USER=y
 CONFIG_XFRM=y
-CONFIG_XFS_ASSERT_FATAL=y
 # CONFIG_XFS_DEBUG is not set
 CONFIG_XFS_FS=m
 # CONFIG_XFS_ONLINE_REPAIR is not set

kernel-s390x-rhel.config

@@ -7292,7 +7292,6 @@ CONFIG_XFRM_SUB_POLICY=y
 # CONFIG_XFRM_USER_COMPAT is not set
 CONFIG_XFRM_USER=y
 CONFIG_XFRM=y
-CONFIG_XFS_ASSERT_FATAL=y
 # CONFIG_XFS_DEBUG is not set
 CONFIG_XFS_FS=m
 # CONFIG_XFS_ONLINE_REPAIR is not set

kernel-s390x-zfcpdump-rhel.config

@@ -7315,7 +7315,6 @@ CONFIG_XFRM_SUB_POLICY=y
 # CONFIG_XFRM_USER_COMPAT is not set
 CONFIG_XFRM_USER=y
 CONFIG_XFRM=y
-CONFIG_XFS_ASSERT_FATAL=y
 # CONFIG_XFS_DEBUG is not set
 # CONFIG_XFS_FS is not set
 # CONFIG_XFS_ONLINE_REPAIR is not set

kernel-x86_64-debug-rhel.config

@@ -7665,7 +7665,6 @@ CONFIG_XFRM_SUB_POLICY=y
 # CONFIG_XFRM_USER_COMPAT is not set
 CONFIG_XFRM_USER=y
 CONFIG_XFRM=y
-CONFIG_XFS_ASSERT_FATAL=y
 # CONFIG_XFS_DEBUG is not set
 CONFIG_XFS_FS=m
 # CONFIG_XFS_ONLINE_REPAIR is not set

kernel-x86_64-rhel.config

@@ -7641,7 +7641,6 @@ CONFIG_XFRM_SUB_POLICY=y
 # CONFIG_XFRM_USER_COMPAT is not set
 CONFIG_XFRM_USER=y
 CONFIG_XFRM=y
-CONFIG_XFS_ASSERT_FATAL=y
 # CONFIG_XFS_DEBUG is not set
 CONFIG_XFS_FS=m
 # CONFIG_XFS_ONLINE_REPAIR is not set

kernel-x86_64-rt-debug-rhel.config

@@ -7722,7 +7722,6 @@ CONFIG_XFRM_SUB_POLICY=y
 # CONFIG_XFRM_USER_COMPAT is not set
 CONFIG_XFRM_USER=y
 CONFIG_XFRM=y
-CONFIG_XFS_ASSERT_FATAL=y
 # CONFIG_XFS_DEBUG is not set
 CONFIG_XFS_FS=m
 # CONFIG_XFS_ONLINE_REPAIR is not set

kernel-x86_64-rt-rhel.config

@@ -7698,7 +7698,6 @@ CONFIG_XFRM_SUB_POLICY=y
 # CONFIG_XFRM_USER_COMPAT is not set
 CONFIG_XFRM_USER=y
 CONFIG_XFRM=y
-CONFIG_XFS_ASSERT_FATAL=y
 # CONFIG_XFS_DEBUG is not set
 CONFIG_XFS_FS=m
 # CONFIG_XFS_ONLINE_REPAIR is not set

kernel.spec

@@ -163,13 +163,13 @@ Summary: The Linux kernel
 %define specrpmversion 6.6.0
 %define specversion 6.6.0
 %define patchversion 6.6
-%define pkgrelease 0.rc7.54
+%define pkgrelease 0.rc7.20231024gitd88520ad73b7.55
 %define kversion 6
-%define tarfile_release 6.6-rc7
+%define tarfile_release 6.6-rc7-18-gd88520ad73b7
 # This is needed to do merge window version magic
 %define patchlevel 6
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 0.rc7.54%{?buildid}%{?dist}
+%define specrelease 0.rc7.20231024gitd88520ad73b7.55%{?buildid}%{?dist}
 # This defines the kabi tarball version
 %define kabiversion 6.6.0
 
@@ -3709,6 +3709,13 @@ fi\
 #
 #
 %changelog
+* Tue Oct 24 2023 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.6.0-0.rc7.d88520ad73b7.55]
+- redhat: remove pending-rhel CONFIG_XFS_ASSERT_FATAL file (Patrick Talbert)
+- New configs in fs/xfs (Fedora Kernel Team)
+- crypto: rng - Override drivers/char/random in FIPS mode (Herbert Xu)
+- random: Add hook to override device reads and getrandom(2) (Herbert Xu)
+- Linux v6.6.0-0.rc7.d88520ad73b7
+
 * Mon Oct 23 2023 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.6.0-0.rc7.54]
 - Linux v6.6.0-0.rc7
 

patch-6.6-redhat.patch

@@ -9,12 +9,15 @@
  arch/s390/kernel/setup.c                           |   4 +
  arch/x86/kernel/cpu/common.c                       |   1 +
  arch/x86/kernel/setup.c                            |  68 ++-
+ crypto/drbg.c                                      |  18 +-
+ crypto/rng.c                                       | 149 +++++-
  drivers/acpi/apei/hest.c                           |   8 +
  drivers/acpi/irq.c                                 |  17 +-
  drivers/acpi/scan.c                                |   9 +
  drivers/ata/libahci.c                              |  18 +
  drivers/char/ipmi/ipmi_dmi.c                       |  15 +
  drivers/char/ipmi/ipmi_msghandler.c                |  16 +-
+ drivers/char/random.c                              | 122 +++++
  drivers/firmware/efi/Makefile                      |   1 +
  drivers/firmware/efi/efi.c                         | 124 +++--
  drivers/firmware/efi/secureboot.c                  |  38 ++
@@ -41,12 +44,14 @@
  drivers/scsi/sd.c                                  |  10 +
  drivers/usb/core/hub.c                             |   7 +
  fs/afs/main.c                                      |   3 +
+ include/linux/crypto.h                             |   1 +
  include/linux/efi.h                                |  22 +-
  include/linux/kernel.h                             |  14 +
  include/linux/lsm_hook_defs.h                      |   2 +
  include/linux/module.h                             |   5 +
  include/linux/panic.h                              |  18 +-
  include/linux/pci.h                                |   5 +
+ include/linux/random.h                             |  10 +
  include/linux/rh_kabi.h                            | 515 +++++++++++++++++++++
  include/linux/rmi.h                                |   1 +
  include/linux/security.h                           |   5 +
@@ -64,7 +69,7 @@
  security/lockdown/Kconfig                          |  13 +
  security/lockdown/lockdown.c                       |   1 +
  security/security.c                                |  12 +
- 66 files changed, 1779 insertions(+), 188 deletions(-)
+ 71 files changed, 2060 insertions(+), 207 deletions(-)
 
 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
 index 0a1731a0f0ef..7015d8d057a0 100644
@@ -359,6 +364,280 @@ index b098b1fa2470..6b936d786590 100644
  	unwind_init();
  }
  
+diff --git a/crypto/drbg.c b/crypto/drbg.c
+index ff4ebbc68efa..2410034cca4f 100644
+--- a/crypto/drbg.c
++++ b/crypto/drbg.c
+@@ -1510,13 +1510,14 @@ static int drbg_generate(struct drbg_state *drbg,
+  * Wrapper around drbg_generate which can pull arbitrary long strings
+  * from the DRBG without hitting the maximum request limitation.
+  *
+- * Parameters: see drbg_generate
++ * Parameters: see drbg_generate, except @reseed, which triggers reseeding
+  * Return codes: see drbg_generate -- if one drbg_generate request fails,
+  *		 the entire drbg_generate_long request fails
+  */
+ static int drbg_generate_long(struct drbg_state *drbg,
+ 			      unsigned char *buf, unsigned int buflen,
+-			      struct drbg_string *addtl)
++			      struct drbg_string *addtl,
++			      bool reseed)
+ {
+ 	unsigned int len = 0;
+ 	unsigned int slice = 0;
+@@ -1526,6 +1527,8 @@ static int drbg_generate_long(struct drbg_state *drbg,
+ 		slice = ((buflen - len) / drbg_max_request_bytes(drbg));
+ 		chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
+ 		mutex_lock(&drbg->drbg_mutex);
++		if (reseed)
++			drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
+ 		err = drbg_generate(drbg, buf + len, chunk, addtl);
+ 		mutex_unlock(&drbg->drbg_mutex);
+ 		if (0 > err)
+@@ -1952,6 +1955,7 @@ static int drbg_kcapi_random(struct crypto_rng *tfm,
+ 	struct drbg_state *drbg = crypto_rng_ctx(tfm);
+ 	struct drbg_string *addtl = NULL;
+ 	struct drbg_string string;
++	int err;
+ 
+ 	if (slen) {
+ 		/* linked list variable is now local to allow modification */
+@@ -1959,7 +1963,15 @@ static int drbg_kcapi_random(struct crypto_rng *tfm,
+ 		addtl = &string;
+ 	}
+ 
+-	return drbg_generate_long(drbg, dst, dlen, addtl);
++	err = drbg_generate_long(drbg, dst, dlen, addtl,
++				 (crypto_tfm_get_flags(crypto_rng_tfm(tfm)) &
++				  CRYPTO_TFM_REQ_NEED_RESEED) ==
++				 CRYPTO_TFM_REQ_NEED_RESEED);
++
++	crypto_tfm_clear_flags(crypto_rng_tfm(tfm),
++			       CRYPTO_TFM_REQ_NEED_RESEED);
++
++	return err;
+ }
+ 
+ /*
+diff --git a/crypto/rng.c b/crypto/rng.c
+index 279dffdebf59..d24dd37205cd 100644
+--- a/crypto/rng.c
++++ b/crypto/rng.c
+@@ -12,10 +12,13 @@
+ #include <linux/atomic.h>
+ #include <linux/cryptouser.h>
+ #include <linux/err.h>
++#include <linux/fips.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/mutex.h>
+ #include <linux/random.h>
++#include <linux/sched.h>
++#include <linux/sched/signal.h>
+ #include <linux/seq_file.h>
+ #include <linux/slab.h>
+ #include <linux/string.h>
+@@ -23,7 +26,9 @@
+ 
+ #include "internal.h"
+ 
+-static DEFINE_MUTEX(crypto_default_rng_lock);
++static ____cacheline_aligned_in_smp DEFINE_MUTEX(crypto_reseed_rng_lock);
++static struct crypto_rng *crypto_reseed_rng;
++static ____cacheline_aligned_in_smp DEFINE_MUTEX(crypto_default_rng_lock);
+ struct crypto_rng *crypto_default_rng;
+ EXPORT_SYMBOL_GPL(crypto_default_rng);
+ static int crypto_default_rng_refcnt;
+@@ -136,31 +141,37 @@ struct crypto_rng *crypto_alloc_rng(const char *alg_name, u32 type, u32 mask)
+ }
+ EXPORT_SYMBOL_GPL(crypto_alloc_rng);
+ 
+-int crypto_get_default_rng(void)
++static int crypto_get_rng(struct crypto_rng **rngp)
+ {
+ 	struct crypto_rng *rng;
+ 	int err;
+ 
+-	mutex_lock(&crypto_default_rng_lock);
+-	if (!crypto_default_rng) {
++	if (!*rngp) {
+ 		rng = crypto_alloc_rng("stdrng", 0, 0);
+ 		err = PTR_ERR(rng);
+ 		if (IS_ERR(rng))
+-			goto unlock;
++			return err;
+ 
+ 		err = crypto_rng_reset(rng, NULL, crypto_rng_seedsize(rng));
+ 		if (err) {
+ 			crypto_free_rng(rng);
+-			goto unlock;
++			return err;
+ 		}
+ 
+-		crypto_default_rng = rng;
++		*rngp = rng;
+ 	}
+ 
+-	crypto_default_rng_refcnt++;
+-	err = 0;
++	return 0;
++}
++
++int crypto_get_default_rng(void)
++{
++	int err;
+ 
+-unlock:
++	mutex_lock(&crypto_default_rng_lock);
++	err = crypto_get_rng(&crypto_default_rng);
++	if (!err)
++		crypto_default_rng_refcnt++;
+ 	mutex_unlock(&crypto_default_rng_lock);
+ 
+ 	return err;
+@@ -176,24 +187,33 @@ void crypto_put_default_rng(void)
+ EXPORT_SYMBOL_GPL(crypto_put_default_rng);
+ 
+ #if defined(CONFIG_CRYPTO_RNG) || defined(CONFIG_CRYPTO_RNG_MODULE)
+-int crypto_del_default_rng(void)
++static int crypto_del_rng(struct crypto_rng **rngp, int *refcntp,
++		      struct mutex *lock)
+ {
+ 	int err = -EBUSY;
+ 
+-	mutex_lock(&crypto_default_rng_lock);
+-	if (crypto_default_rng_refcnt)
++	mutex_lock(lock);
++	if (refcntp && *refcntp)
+ 		goto out;
+ 
+-	crypto_free_rng(crypto_default_rng);
+-	crypto_default_rng = NULL;
++	crypto_free_rng(*rngp);
++	*rngp = NULL;
+ 
+ 	err = 0;
+ 
+ out:
+-	mutex_unlock(&crypto_default_rng_lock);
++	mutex_unlock(lock);
+ 
+ 	return err;
+ }
++
++int crypto_del_default_rng(void)
++{
++	return crypto_del_rng(&crypto_default_rng, &crypto_default_rng_refcnt,
++			      &crypto_default_rng_lock) ?:
++	       crypto_del_rng(&crypto_reseed_rng, NULL,
++			      &crypto_reseed_rng_lock);
++}
+ EXPORT_SYMBOL_GPL(crypto_del_default_rng);
+ #endif
+ 
+@@ -251,5 +271,102 @@ void crypto_unregister_rngs(struct rng_alg *algs, int count)
+ }
+ EXPORT_SYMBOL_GPL(crypto_unregister_rngs);
+ 
++static ssize_t crypto_devrandom_read_iter(struct iov_iter *iter, bool reseed)
++{
++	struct crypto_rng *rng;
++	u8 tmp[256];
++	ssize_t ret;
++
++	if (unlikely(!iov_iter_count(iter)))
++		return 0;
++
++	if (reseed) {
++		u32 flags = 0;
++
++		/* If reseeding is requested, acquire a lock on
++		 * crypto_reseed_rng so it is not swapped out until
++		 * the initial random bytes are generated.
++		 *
++		 * The algorithm implementation is also protected with
++		 * a separate mutex (drbg->drbg_mutex) around the
++		 * reseed-and-generate operation.
++		 */
++		mutex_lock(&crypto_reseed_rng_lock);
++
++		/* If crypto_default_rng is not set, it will be seeded
++		 * at creation in __crypto_get_default_rng and thus no
++		 * reseeding is needed.
++		 */
++		if (crypto_reseed_rng)
++			flags |= CRYPTO_TFM_REQ_NEED_RESEED;
++
++		ret = crypto_get_rng(&crypto_reseed_rng);
++		if (ret) {
++			mutex_unlock(&crypto_reseed_rng_lock);
++			return ret;
++		}
++
++		rng = crypto_reseed_rng;
++		crypto_tfm_set_flags(crypto_rng_tfm(rng), flags);
++	} else {
++		ret = crypto_get_default_rng();
++		if (ret)
++			return ret;
++		rng = crypto_default_rng;
++	}
++
++	for (;;) {
++		size_t i, copied;
++		int err;
++
++		i = min_t(size_t, iov_iter_count(iter), sizeof(tmp));
++		err = crypto_rng_get_bytes(rng, tmp, i);
++		if (err) {
++			ret = err;
++			break;
++		}
++
++		copied = copy_to_iter(tmp, i, iter);
++		ret += copied;
++
++		if (!iov_iter_count(iter))
++			break;
++
++		if (need_resched()) {
++			if (signal_pending(current))
++				break;
++			schedule();
++		}
++	}
++
++	if (reseed)
++		mutex_unlock(&crypto_reseed_rng_lock);
++	else
++		crypto_put_default_rng();
++	memzero_explicit(tmp, sizeof(tmp));
++
++	return ret;
++}
++
++static const struct random_extrng crypto_devrandom_rng = {
++	.extrng_read_iter = crypto_devrandom_read_iter,
++	.owner = THIS_MODULE,
++};
++
++static int __init crypto_rng_init(void)
++{
++	if (fips_enabled)
++		random_register_extrng(&crypto_devrandom_rng);
++	return 0;
++}
++
++static void __exit crypto_rng_exit(void)
++{
++	random_unregister_extrng();
++}
++
++late_initcall(crypto_rng_init);
++module_exit(crypto_rng_exit);
++
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Random Number Generator");
 diff --git a/drivers/acpi/apei/hest.c b/drivers/acpi/apei/hest.c
 index 6aef1ee5e1bd..8f146b1b4972 100644
 --- a/drivers/acpi/apei/hest.c
@@ -531,6 +810,203 @@ index 186f1fee7534..93e3a76596ff 100644
  	mutex_lock(&ipmi_interfaces_mutex);
  	rv = ipmi_register_driver();
  	mutex_unlock(&ipmi_interfaces_mutex);
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 3cb37760dfec..20aa9f3b8b48 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -51,6 +51,7 @@
+ #include <linux/completion.h>
+ #include <linux/uuid.h>
+ #include <linux/uaccess.h>
++#include <linux/rcupdate.h>
+ #include <linux/suspend.h>
+ #include <linux/siphash.h>
+ #include <linux/sched/isolation.h>
+@@ -309,6 +310,11 @@ static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE],
+ 	memzero_explicit(first_block, sizeof(first_block));
+ }
+ 
++/*
++ * Hook for external RNG.
++ */
++static const struct random_extrng __rcu *extrng;
++
+ /*
+  * This function returns a ChaCha state that you may use for generating
+  * random data. It also returns up to 32 bytes on its own of random data
+@@ -739,6 +745,9 @@ static void __cold _credit_init_bits(size_t bits)
+ }
+ 
+ 
++static const struct file_operations extrng_random_fops;
++static const struct file_operations extrng_urandom_fops;
++
+ /**********************************************************************
+  *
+  * Entropy collection routines.
+@@ -956,6 +965,19 @@ void __init add_bootloader_randomness(const void *buf, size_t len)
+ 		credit_init_bits(len * 8);
+ }
+ 
++void random_register_extrng(const struct random_extrng *rng)
++{
++	rcu_assign_pointer(extrng, rng);
++}
++EXPORT_SYMBOL_GPL(random_register_extrng);
++
++void random_unregister_extrng(void)
++{
++	RCU_INIT_POINTER(extrng, NULL);
++	synchronize_rcu();
++}
++EXPORT_SYMBOL_GPL(random_unregister_extrng);
++
+ #if IS_ENABLED(CONFIG_VMGENID)
+ static BLOCKING_NOTIFIER_HEAD(vmfork_chain);
+ 
+@@ -1366,6 +1388,7 @@ SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags
+ 	struct iov_iter iter;
+ 	struct iovec iov;
+ 	int ret;
++	const struct random_extrng *rng;
+ 
+ 	if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE))
+ 		return -EINVAL;
+@@ -1377,6 +1400,21 @@ SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags
+ 	if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM))
+ 		return -EINVAL;
+ 
++	rcu_read_lock();
++	rng = rcu_dereference(extrng);
++	if (rng && !try_module_get(rng->owner))
++		rng = NULL;
++	rcu_read_unlock();
++
++	if (rng) {
++		ret = import_single_range(ITER_DEST, ubuf, len, &iov, &iter);
++		if (unlikely(ret))
++			return ret;
++		ret = rng->extrng_read_iter(&iter, !!(flags & GRND_RANDOM));
++		module_put(rng->owner);
++		return ret;
++	}
++
+ 	if (!crng_ready() && !(flags & GRND_INSECURE)) {
+ 		if (flags & GRND_NONBLOCK)
+ 			return -EAGAIN;
+@@ -1397,6 +1435,12 @@ static __poll_t random_poll(struct file *file, poll_table *wait)
+ 	return crng_ready() ? EPOLLIN | EPOLLRDNORM : EPOLLOUT | EPOLLWRNORM;
+ }
+ 
++static __poll_t extrng_poll(struct file *file, poll_table * wait)
++{
++	/* extrng pool is always full, always read, no writes */
++	return EPOLLIN | EPOLLRDNORM;
++}
++
+ static ssize_t write_pool_user(struct iov_iter *iter)
+ {
+ 	u8 block[BLAKE2S_BLOCK_SIZE];
+@@ -1538,7 +1582,58 @@ static int random_fasync(int fd, struct file *filp, int on)
+ 	return fasync_helper(fd, filp, on, &fasync);
+ }
+ 
++static int random_open(struct inode *inode, struct file *filp)
++{
++	const struct random_extrng *rng;
++
++	rcu_read_lock();
++	rng = rcu_dereference(extrng);
++	if (rng && !try_module_get(rng->owner))
++		rng = NULL;
++	rcu_read_unlock();
++
++	if (!rng)
++		return 0;
++
++	filp->f_op = &extrng_random_fops;
++	filp->private_data = rng->owner;
++
++	return 0;
++}
++
++static int urandom_open(struct inode *inode, struct file *filp)
++{
++	const struct random_extrng *rng;
++
++	rcu_read_lock();
++	rng = rcu_dereference(extrng);
++	if (rng && !try_module_get(rng->owner))
++		rng = NULL;
++	rcu_read_unlock();
++
++	if (!rng)
++		return 0;
++
++	filp->f_op = &extrng_urandom_fops;
++	filp->private_data = rng->owner;
++
++	return 0;
++}
++
++static int extrng_release(struct inode *inode, struct file *filp)
++{
++	module_put(filp->private_data);
++	return 0;
++}
++
++static ssize_t
++extrng_read_iter(struct kiocb *kiocb, struct iov_iter *iter)
++{
++	return rcu_dereference_raw(extrng)->extrng_read_iter(iter, false);
++}
++
+ const struct file_operations random_fops = {
++	.open  = random_open,
+ 	.read_iter = random_read_iter,
+ 	.write_iter = random_write_iter,
+ 	.poll = random_poll,
+@@ -1551,6 +1646,7 @@ const struct file_operations random_fops = {
+ };
+ 
+ const struct file_operations urandom_fops = {
++	.open  = urandom_open,
+ 	.read_iter = urandom_read_iter,
+ 	.write_iter = random_write_iter,
+ 	.unlocked_ioctl = random_ioctl,
+@@ -1561,6 +1657,32 @@ const struct file_operations urandom_fops = {
+ 	.splice_write = iter_file_splice_write,
+ };
+ 
++static const struct file_operations extrng_random_fops = {
++	.open  = random_open,
++	.read_iter  = extrng_read_iter,
++	.write_iter = random_write_iter,
++	.poll  = extrng_poll,
++	.unlocked_ioctl = random_ioctl,
++	.compat_ioctl = compat_ptr_ioctl,
++	.fasync = random_fasync,
++	.llseek = noop_llseek,
++	.release = extrng_release,
++	.splice_read = copy_splice_read,
++	.splice_write = iter_file_splice_write,
++};
++
++static const struct file_operations extrng_urandom_fops = {
++	.open  = urandom_open,
++	.read_iter  = extrng_read_iter,
++	.write_iter = random_write_iter,
++	.unlocked_ioctl = random_ioctl,
++	.compat_ioctl = compat_ptr_ioctl,
++	.fasync = random_fasync,
++	.llseek = noop_llseek,
++	.release = extrng_release,
++	.splice_read = copy_splice_read,
++	.splice_write = iter_file_splice_write,
++};
+ 
+ /********************************************************************
+  *
 diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
 index e489fefd23da..f2dfae764fb5 100644
 --- a/drivers/firmware/efi/Makefile
@@ -1704,6 +2180,18 @@ index eae288c8d40a..8b8bf447cedc 100644
  	return ret;
  
  error_proc:
+diff --git a/include/linux/crypto.h b/include/linux/crypto.h
+index 31f6fee0c36c..b099200de233 100644
+--- a/include/linux/crypto.h
++++ b/include/linux/crypto.h
+@@ -135,6 +135,7 @@
+ #define CRYPTO_TFM_REQ_FORBID_WEAK_KEYS	0x00000100
+ #define CRYPTO_TFM_REQ_MAY_SLEEP	0x00000200
+ #define CRYPTO_TFM_REQ_MAY_BACKLOG	0x00000400
++#define CRYPTO_TFM_REQ_NEED_RESEED	0x00000800
+ 
+ /*
+  * Miscellaneous stuff.
 diff --git a/include/linux/efi.h b/include/linux/efi.h
 index 80b21d1c6eaf..b66c0683f2fc 100644
 --- a/include/linux/efi.h
@@ -1881,6 +2369,34 @@ index 8c7c2c3c6c65..ee66c86fc538 100644
  #if defined(CONFIG_PCIEPORTBUS) || defined(CONFIG_EEH)
  void pci_uevent_ers(struct pci_dev *pdev, enum  pci_ers_result err_type);
  #endif
+diff --git a/include/linux/random.h b/include/linux/random.h
+index b0a940af4fff..8a52424fd0d5 100644
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -9,6 +9,13 @@
+ 
+ #include <uapi/linux/random.h>
+ 
++struct iov_iter;
++
++struct random_extrng {
++	ssize_t (*extrng_read_iter)(struct iov_iter *iter, bool reseed);
++	struct module *owner;
++};
++
+ struct notifier_block;
+ 
+ void add_device_randomness(const void *buf, size_t len);
+@@ -157,6 +164,9 @@ int random_prepare_cpu(unsigned int cpu);
+ int random_online_cpu(unsigned int cpu);
+ #endif
+ 
++void random_register_extrng(const struct random_extrng *rng);
++void random_unregister_extrng(void);
++
+ #ifndef MODULE
+ extern const struct file_operations random_fops, urandom_fops;
+ #endif
 diff --git a/include/linux/rh_kabi.h b/include/linux/rh_kabi.h
 new file mode 100644
 index 000000000000..c7b42c1f1681

sources

@@ -1,3 +1,3 @@
-SHA512 (linux-6.6-rc7.tar.xz) = c554605c021dc569a22d5479a0792f5fc23a949a9fb76343ee3594b72514f2950611db69d4f1ab5a8d390ed979fd41a87aee080bbebf78c9cfc882e608ab63e3
+SHA512 (linux-6.6-rc7-18-gd88520ad73b7.tar.xz) = def0ee2feec1780c60049aa4fdb8d06fc16052a680712044750f0338af2a07d1c08e03db2fcae2163ea2196e935013740fee692fd72a82efa0bf83d24a8b248e
-SHA512 (kernel-abi-stablelists-6.6.0.tar.bz2) = 896b1b24617e3a6905c26dd2a50b23ff2e2c7627f6b6dc12b328d5f74109016722b4ba050c5051886cb597308a793366346a34d7ec82a658b646d5288b347ae7
+SHA512 (kernel-abi-stablelists-6.6.0.tar.bz2) = e71711bc322fd6c936efc31ee25054dfc85e21dd7cdbecf151dcff39eadcd3ac32d769667957687d7816c733c824ef8d5d8af30a3bcf4725b28833194a926ec8
-SHA512 (kernel-kabi-dw-6.6.0.tar.bz2) = f98c14408c8434ecd253c6781c4f918cf1497da7bd55a79382fcf9dc67512d48e9357825c99a960616d2a9403d55be46989344cd201f762fd5450a2115e43c2a
+SHA512 (kernel-kabi-dw-6.6.0.tar.bz2) = 7ba67c6e5874e4336adfa4dbe459d27c256367e0355d77d4b02ca067ee3a65dd1876aa58b7c1d93c5a293d86b6041403f2aca9bfb58564ccd4b393cce468bbef