<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/drivers/char/hw_random, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-17T18:49:00+00:00</updated>
<entry>
<title>Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost</title>
<updated>2026-06-17T18:49:00+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-17T18:49:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=d44ade05aa21468bd30652bc4492891b854a400a'/>
<id>urn:sha1:d44ade05aa21468bd30652bc4492891b854a400a</id>
<content type='text'>
Pull virtio updates from Michael Tsirkin:

 - new virtio CAN driver

 - support for LoongArch architecture in fw_cfg

 - support for firmware notifications in vdpa/octeon_ep

 - support for VFs in virtio core

 - fixes, cleanups all over the place, notably:

    - vhost: fix vhost_get_avail_idx for a non empty ring
      fixing an significant old perf regression

    - READ_ONCE() annotations mean virtio ring is now
      free of KCSAN warnings

* tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: (37 commits)
  can: virtio: Fix comment in UAPI header
  can: virtio: Add virtio CAN driver
  virtio: add num_vf callback to virtio_bus
  fw_cfg: Add support for LoongArch architecture
  vdpa/octeon_ep: fix IRQ-to-ring mapping in interrupt handler
  vdpa/octeon_ep: Add vDPA device event handling for firmware notifications
  vdpa/octeon_ep: Use 4 bytes for mailbox signature
  vdpa/octeon_ep: Fix PF-&gt;VF mailbox data address calculation
  vhost_task_create: kill unnecessary .exit_signal initialization
  vhost: remove unnecessary module_init/exit functions
  vdpa/mlx5: Use kvzalloc_flex() for MTT command memory
  vdpa_sim_net: switch to dynamic root device
  vdpa_sim_blk: switch to dynamic root device
  virtio-mem: Destroy mutex before freeing virtio_mem
  virtio-balloon: Destroy mutex before freeing virtio_balloon
  tools/virtio: fix build for kmalloc_obj API and missing stubs
  virtio_ring: Add READ_ONCE annotations for device-writable fields
  vduse: fix compat handling for VDUSE_IOTLB_GET_FD/VDUSE_VQ_GET_INFO
  tools/virtio: check mmap return value in vringh_test
  vhost/net: complete zerocopy ubufs only once
  ...
</content>
</entry>
<entry>
<title>Merge tag 'v7.2-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6</title>
<updated>2026-06-16T03:31:23+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-16T03:31:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=0d8c1134936f1fb6678156ab4248ac740d274525'/>
<id>urn:sha1:0d8c1134936f1fb6678156ab4248ac740d274525</id>
<content type='text'>
Pull crypto updates from Herbert Xu:
 "API:
   - Drop support for off-CPU cryptography in af_alg
   - Document that af_alg is *always* slower
   - Document the deprecation of af_alg
   - Remove zero-copy support from skcipher and aead in af_alg
   - Cap AEAD AD length to 0x80000000 in af_alg
   - Free default RNG on module exit

  Algorithms:
   - Fix vli multiplication carry overflow in ecc
   - Drop unused cipher_null crypto_alg
   - Remove unused variants of drbg
   - Use lib/crypto in drbg
   - Use memcpy_from/to_sglist in authencesn
   - Allow authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode
   - Disallow RSA PKCS#1 SHA-1 sig algs in FIPS mode
   - Filter out async aead implementations at alloc in krb5
   - Fix non-parallel fallback by rstoring callback in pcrypt
   - Validate poly1305 template argument in chacha20poly1305

  Drivers:
   - Add sysfs PCI reset support to qat
   - Add KPT support for GEN6 devices to qat
   - Remove unused character device and ioctls from qat
   - Add support for hw access via SMCC to mtk
   - Remove prng support from crypto4xx
   - Remove prng support from hisi-trng
   - Remove prng support from sun4i-ss
   - Remove prng support from xilinx-trng
   - Remove loongson-rng
   - Remove exynos-rng

  Others:
   - Remove support for AIO on sockets"

* tag 'v7.2-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (196 commits)
  crypto: tegra - fix refcount leak in tegra_se_host1x_submit()
  crypto: rng - Free default RNG on module exit
  crypto: testmgr - allow authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode
  hwrng: jh7110 - fix refcount leak in starfive_trng_read()
  crypto: atmel-ecc - drop dead code in atmel_ecdh_max_size
  crypto: cavium/cpt - fix DMA cleanup using wrong loop index
  crypto: marvell/octeontx - fix DMA cleanup using wrong loop index
  MAINTAINERS: make myself the maintainer of the Qualcomm QCE driver
  crypto: amcc - convert irq_of_parse_and_map to platform_get_irq
  crypto: sun4i-ss - Remove insecure and unused rng_alg
  hwrng: xilinx - Move xilinx-rng into drivers/char/hw_random/
  crypto: xilinx-trng - Replace crypto_drbg_ctr_df() with HMAC-SHA512
  crypto: xilinx-trng - Fix return value of xtrng_hwrng_trng_read()
  crypto: xilinx-trng - Remove crypto_rng interface
  crypto: exynos-rng - Remove exynos-rng driver
  hwrng: hisi-trng - Move hisi-trng into drivers/char/hw_random/
  crypto: hisi-trng - Remove crypto_rng interface
  crypto: loongson - Remove broken and unused loongson-rng
  crypto: crypto4xx - Remove insecure and unused rng_alg
  crypto: qat - validate RSA CRT component lengths
  ...
</content>
</entry>
<entry>
<title>hwrng: jh7110 - fix refcount leak in starfive_trng_read()</title>
<updated>2026-06-12T01:56:45+00:00</updated>
<author>
<name>Wentao Liang</name>
<email>vulab@iscas.ac.cn</email>
</author>
<published>2026-06-03T11:03:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=8d13f7a8450206e3f820cdb26e33e91d181071b4'/>
<id>urn:sha1:8d13f7a8450206e3f820cdb26e33e91d181071b4</id>
<content type='text'>
The starfive_trng_read() function acquires a runtime PM reference
via pm_runtime_get_sync() but fails to release it on two error
paths.  If starfive_trng_wait_idle() or starfive_trng_cmd() returns
an error, the function exits without calling
pm_runtime_put_sync_autosuspend(), leaving the runtime PM usage
counter permanently elevated and preventing the device from entering
runtime suspend.

Refactor the function to use a unified error path that calls
pm_runtime_put_sync_autosuspend() before returning.

Cc: stable@vger.kernel.org
Fixes: c388f458bc34 ("hwrng: starfive - Add TRNG driver for StarFive SoC")
Signed-off-by: Wentao Liang &lt;vulab@iscas.ac.cn&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>hwrng: xilinx - Move xilinx-rng into drivers/char/hw_random/</title>
<updated>2026-06-12T01:56:26+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-05-31T19:17:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=be6498ca1cca9084330bdefb68ad8379d1ac5ea7'/>
<id>urn:sha1:be6498ca1cca9084330bdefb68ad8379d1ac5ea7</id>
<content type='text'>
Since this file just implements a hwrng driver, move it into
drivers/char/hw_random/.  Rename the kconfig option accordingly as well.

Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>hwrng: hisi-trng - Move hisi-trng into drivers/char/hw_random/</title>
<updated>2026-06-11T06:02:58+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-05-30T20:26:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=ffbb2ebd0c3a7ead6c9128bbbb62fc6d851779bb'/>
<id>urn:sha1:ffbb2ebd0c3a7ead6c9128bbbb62fc6d851779bb</id>
<content type='text'>
Since this file just implements a hwrng driver, move it into
drivers/char/hw_random/.  Rename the kconfig option accordingly as well.

Note that this moves the file back to its original location.

Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>hwrng: virtio: clamp device-reported used.len at copy_data()</title>
<updated>2026-06-04T05:18:20+00:00</updated>
<author>
<name>Michael Bommarito</name>
<email>michael.bommarito@gmail.com</email>
</author>
<published>2026-05-31T14:22:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=e3046eeada299f917a8ad883af4434bfb86556b1'/>
<id>urn:sha1:e3046eeada299f917a8ad883af4434bfb86556b1</id>
<content type='text'>
random_recv_done() stores the device-reported used.len directly into
vi-&gt;data_avail.  copy_data() then indexes vi-&gt;data[] using
vi-&gt;data_idx (advanced by previous copy_data() calls) and issues a
memcpy() without re-validating either value against the posted
buffer size sizeof(vi-&gt;data) (SMP_CACHE_BYTES bytes, typically 32
or 64).

A malicious or buggy virtio-rng backend can set used.len beyond
sizeof(vi-&gt;data), steering the memcpy() past the end of the inline
array into adjacent kmalloc-1k slab bytes.  hwrng_fillfn() mixes
those bytes into the guest RNG, and guest root can also observe
them directly via /dev/hwrng.

Concrete impact is inside the guest:

 - Memory-safety / hardening: any virtio-rng backend that
   over-reports used.len causes the driver to read past vi-&gt;data
   into unrelated slab contents.  hwrng_fillfn() is a kernel thread
   that runs as soon as the device is probed; no guest userspace
   interaction is required to first-trigger the OOB.

 - Cross-boundary leak (confidential-compute threat model): a
   malicious hypervisor cooperating with a malicious or compromised
   guest root userspace can use /dev/hwrng as a leak channel for
   guest-kernel heap data.  The host sets a large used.len, guest
   root reads /dev/hwrng, and the returned bytes contain guest
   kernel slab contents that were adjacent to vi-&gt;data.  In
   practice, confidential-compute guests (SEV-SNP, TDX) usually
   disable virtio-rng entirely, so this path is narrow, but the
   fix is still worth carrying because the underlying
   memory-safety bug contaminates the guest RNG on any host.

KASAN confirms the OOB on a 7.1-rc4 guest whose virtio-rng backend
has been patched to report used.len = 0x10000:

  BUG: KASAN: slab-out-of-bounds in virtio_read+0x394/0x5d0
  Read of size 64 at addr ffff88800ae0ba20 by task hwrng/52
  Call Trace:
   __asan_memcpy+0x23/0x60
   virtio_read+0x394/0x5d0
   hwrng_fillfn+0xb2/0x470
   kthread+0x2cc/0x3a0
  Allocated by task 1:
   probe_common+0xa5/0x660
   virtio_dev_probe+0x549/0xbc0
  The buggy address belongs to the object at ffff88800ae0b800
   which belongs to the cache kmalloc-1k of size 1024
  The buggy address is located 0 bytes to the right of
   allocated 544-byte region [ffff88800ae0b800, ffff88800ae0ba20)

Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
overflow in USB transport layer"), which hardened
usb9pfs_rx_complete() against unchecked device-reported length in
the USB 9p transport.

With the clamp at point of use and array_index_nospec() in place,
the same harness boots cleanly: copy_data() returns zero for the
bogus report, the device-supplied bytes after data_idx are
discarded, and the driver issues a fresh request.

Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.")
Cc: stable@vger.kernel.org
Suggested-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Signed-off-by: Michael Bommarito &lt;michael.bommarito@gmail.com&gt;
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Message-ID: &lt;20260531142251.2792061-1-michael.bommarito@gmail.com&gt;
</content>
</entry>
<entry>
<title>s390/trng: Replace __get_free_page() with kmalloc()</title>
<updated>2026-06-03T13:32:45+00:00</updated>
<author>
<name>Mike Rapoport (Microsoft)</name>
<email>rppt@kernel.org</email>
</author>
<published>2026-05-31T14:08:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=b8bce5f1180fe6d9226b6f25af902f905ca015ae'/>
<id>urn:sha1:b8bce5f1180fe6d9226b6f25af902f905ca015ae</id>
<content type='text'>
trng_read() allocates a temporary staging buffer for CPACF TRNG
random data before copying it to userspace.

This buffer can be allocated with kmalloc() as there's nothing special
about it to go directly to the page allocator.

kmalloc() provides a better API that does not require ugly casts and
kfree() does not need to know the size of the freed object.

Performance difference between kmalloc() and __get_free_pages() is not
measurable as both allocators take an object/page from a per-CPU list for
fast path allocations.

For the slow path the performance is anyway determined by the amount of
reclaim involved rather than by what allocator is used.

Replace use of __get_free_page() with kmalloc() and free_page() with
kfree().

Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
Reviewed-by: Heiko Carstens &lt;hca@linux.ibm.com&gt;
Signed-off-by: Mike Rapoport (Microsoft) &lt;rppt@kernel.org&gt;
Signed-off-by: Alexander Gordeev &lt;agordeev@linux.ibm.com&gt;
</content>
</entry>
<entry>
<title>hwrng: core - use sysfs_emit_at in rng_available_show</title>
<updated>2026-05-15T10:08:37+00:00</updated>
<author>
<name>Thorsten Blum</name>
<email>thorsten.blum@linux.dev</email>
</author>
<published>2026-05-05T09:45:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=cdf940215537d6028177eea88e89bd8788719a99'/>
<id>urn:sha1:cdf940215537d6028177eea88e89bd8788719a99</id>
<content type='text'>
Replace strlcat() with sysfs_emit_at() in rng_available_show() and add
'int len' to keep track of the number of bytes written. sysfs_emit_at()
is preferred for formatting sysfs output because it provides safer
bounds checking.

Inline mutex_lock_interruptible() and drop the now-unused local error
variable. Remove the unnecessary 'buf' NUL initialization. Return 'len'
directly instead of strlen(buf).

Reviewed-by: Andy Shevchenko &lt;andriy.shevchenko@intel.com&gt;
Signed-off-by: Thorsten Blum &lt;thorsten.blum@linux.dev&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>hwrng: core - use MAX to simplify RNG_BUFFER_SIZE</title>
<updated>2026-05-15T10:08:37+00:00</updated>
<author>
<name>Thorsten Blum</name>
<email>thorsten.blum@linux.dev</email>
</author>
<published>2026-05-05T09:45:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=dc3ec9af62a92a46378960e599521c2ac5f81343'/>
<id>urn:sha1:dc3ec9af62a92a46378960e599521c2ac5f81343</id>
<content type='text'>
Replace the open-coded variant with MAX().

Signed-off-by: Thorsten Blum &lt;thorsten.blum@linux.dev&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>hwrng: core - use bool for wait parameter in rng_get_data</title>
<updated>2026-05-15T10:08:37+00:00</updated>
<author>
<name>Thorsten Blum</name>
<email>thorsten.blum@linux.dev</email>
</author>
<published>2026-05-05T09:45:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=3541710791922e6ba090eb18f60b932f76c9b8cb'/>
<id>urn:sha1:3541710791922e6ba090eb18f60b932f76c9b8cb</id>
<content type='text'>
The wait parameter in rng_get_data() is a boolean flag - use bool
instead of int to better reflect its actual type.

Signed-off-by: Thorsten Blum &lt;thorsten.blum@linux.dev&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
</feed>
