 @@ -1,14 +1,14 @@
-/*	$NetBSD: kern_entropy.c,v 1.48 2022/03/20 14:05:41 riastradh Exp $	*/
+/*	$NetBSD: kern_entropy.c,v 1.49 2022/03/20 14:30:56 riastradh Exp $	*/
 /*-
  * Copyright (c) 2019 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This code is derived from software contributed to The NetBSD Foundation
  * by Taylor R. Campbell.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -65,27 +65,27 @@
  *	* No entropy estimation based on the sample values, which is a
  *	  contradiction in terms and a potential source of side
  *	  channels.  It is the responsibility of the driver author to
  *	  study how predictable the physical source of input can ever
  *	  be, and to furnish a lower bound on the amount of entropy it
  *	  has.
+ *
  *	* Entropy depletion is available for testing (or if you're into
  *	  that sort of thing), with sysctl -w kern.entropy.depletion=1;
  *	  the logic to support it is small, to minimize chance of bugs.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_entropy.c,v 1.48 2022/03/20 14:05:41 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_entropy.c,v 1.49 2022/03/20 14:30:56 riastradh Exp $");
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/atomic.h>
 #include <sys/compat_stub.h>
 #include <sys/condvar.h>
 #include <sys/cpu.h>
 #include <sys/entropy.h>
 #include <sys/errno.h>
 #include <sys/evcnt.h>
 #include <sys/event.h>
 #include <sys/file.h>
 #include <sys/intr.h>
 @@ -250,27 +250,27 @@ static void	entropy_account_cpu(struct e
 static void	entropy_enter(const void *, size_t, unsigned);
 static bool	entropy_enter_intr(const void *, size_t, unsigned);
 static void	entropy_softintr(void *);
 static void	entropy_thread(void *);
 static uint32_t	entropy_pending(void);
 static void	entropy_pending_cpu(void *, void *, struct cpu_info *);
 static void	entropy_do_consolidate(void);
 static void	entropy_consolidate_xc(void *, void *);
 static void	entropy_notify(void);
 static int	sysctl_entropy_consolidate(SYSCTLFN_ARGS);
 static int	sysctl_entropy_gather(SYSCTLFN_ARGS);
 static void	filt_entropy_read_detach(struct knote *);
 static int	filt_entropy_read_event(struct knote *, long);
-static void	entropy_request(size_t);
+static int	entropy_request(size_t, int);
 static void	rnd_add_data_1(struct krndsource *, const void *, uint32_t,
 		    uint32_t, uint32_t);
 static unsigned	rndsource_entropybits(struct krndsource *);
 static void	rndsource_entropybits_cpu(void *, void *, struct cpu_info *);
 static void	rndsource_to_user(struct krndsource *, rndsource_t *);
 static void	rndsource_to_user_est(struct krndsource *, rndsource_est_t *);
 static void	rndsource_to_user_est_cpu(void *, void *, struct cpu_info *);
 /*
  * entropy_timer()
+ *
  *	Cycle counter, time counter, or anything that changes a wee bit
  *	unpredictably.
 @@ -638,35 +638,37 @@ entropy_seed(rndsave_t *seed)
 	    seed->entropy);
 	explicit_memset(seed, 0, sizeof(*seed));
+}
 /*
  * entropy_bootrequest()
+ *
  *	Request entropy from all sources at boot, once config is
  *	complete and interrupts are running.
  */
 void
 entropy_bootrequest(void)
+{
 	int error;
 	KASSERT(E->stage >= ENTROPY_WARM);
 	/*
 	 * Request enough to satisfy the maximum entropy shortage.
 	 * This is harmless overkill if the bootloader provided a seed.
 	 */
 	mutex_enter(&E->lock);
-	entropy_request(ENTROPY_CAPACITY);
+	error = entropy_request(ENTROPY_CAPACITY, ENTROPY_WAIT);
 	KASSERT(error == 0);
 	mutex_exit(&E->lock);
+}
 /*
  * entropy_epoch()
+ *
  *	Returns the current entropy epoch.  If this changes, you should
  *	reseed.  If -1, means system entropy has not yet reached full
  *	entropy or been explicitly consolidated; never reverts back to
  *	-1.  Never zero, so you can always use zero as an uninitialized
  *	sentinel value meaning `reseed ASAP'.
+ *
  *	Usage model:
 @@ -1290,27 +1292,28 @@ sysctl_entropy_gather(SYSCTLFN_ARGS)
+{
 	struct sysctlnode node = *rnode;
 	int arg;
 	int error;
 	KASSERT(E->stage == ENTROPY_HOT);
 	node.sysctl_data = &arg;
 	error = sysctl_lookup(SYSCTLFN_CALL(&node));
 	if (error || newp == NULL)
 		return error;
 	if (arg) {
 		mutex_enter(&E->lock);
-		entropy_request(ENTROPY_CAPACITY);
+		error = entropy_request(ENTROPY_CAPACITY,
 		    ENTROPY_WAIT|ENTROPY_SIG);
 		mutex_exit(&E->lock);
+	}
 	return 0;
+}
 /*
  * entropy_extract(buf, len, flags)
+ *
  *	Extract len bytes from the global entropy pool into buf.
+ *
  *	Flags may have:
+ *
 @@ -1343,27 +1346,29 @@ entropy_extract(void *buf, size_t len, i
+	}
 	/* Refuse to operate in interrupt context.  */
 	KASSERT(!cpu_intr_p());
 	/* Acquire the global lock to get at the global pool.  */
 	if (E->stage >= ENTROPY_WARM)
 		mutex_enter(&E->lock);
 	/* Wait until there is enough entropy in the system.  */
 	error = 0;
 	while (E->needed) {
 		/* Ask for more, synchronously if possible.  */
-		entropy_request(len);
+		error = entropy_request(len, flags);
 		if (error)
 			break;
 		/* If we got enough, we're done.  */
 		if (E->needed == 0) {
 			KASSERT(error == 0);
 			break;
+		}
 		/* If not waiting, stop here.  */
 		if (!ISSET(flags, ENTROPY_WAIT)) {
 			error = EWOULDBLOCK;
 			break;
+		}
 @@ -1667,75 +1672,64 @@ rnd_detach_source(struct krndsource *rs)
 	/* Wait until the source list is not in use, and remove it.  */
 	mutex_enter(&E->lock);
 	while (E->sourcelock)
 		cv_wait(&E->sourcelock_cv, &E->lock);
 	LIST_REMOVE(rs, list);
 	mutex_exit(&E->lock);
 	/* Free the per-CPU data.  */
 	percpu_free(rs->state, sizeof(struct rndsource_cpu));
+}
 /*
- * rnd_lock_sources()
+ * rnd_lock_sources(flags)
+ *
  *	Lock the list of entropy sources.  Caller must hold the global
  *	entropy lock.  If successful, no rndsource will go away until
  *	rnd_unlock_sources even while the caller releases the global
  *	entropy lock.
+ *
- *	Prevent changes to the list of rndsources while we iterate it.
+ *	If flags & ENTROPY_WAIT, wait for concurrent access to finish.
- *	Interruptible.  Caller must hold the global entropy lock.  If
+ *	If flags & ENTROPY_SIG, allow interruption by signal.
  *	successful, no rndsource will go away until rnd_unlock_sources
  *	even while the caller releases the global entropy lock.
  */
-static int
+static int __attribute__((warn_unused_result))
-rnd_lock_sources(void)
+rnd_lock_sources(int flags)
+{
 	int error;
 	KASSERT(mutex_owned(&E->lock));
 	while (E->sourcelock) {
-		error = cv_wait_sig(&E->sourcelock_cv, &E->lock);
+		if (!ISSET(flags, ENTROPY_WAIT))
-		if (error)
+			return EWOULDBLOCK;
-			return error;
+		if (ISSET(flags, ENTROPY_SIG)) {
 			error = cv_wait_sig(&E->sourcelock_cv, &E->lock);
 			if (error)
 				return error;
 		} else {
 			cv_wait(&E->sourcelock_cv, &E->lock);
+		}
+	}
 	E->sourcelock = curlwp;
 	return 0;
+}
 /*
  * rnd_trylock_sources()
  *	Try to lock the list of sources, but if it's already locked,
  *	fail.  Caller must hold the global entropy lock.  If
  *	successful, no rndsource will go away until rnd_unlock_sources
  *	even while the caller releases the global entropy lock.
  */
 static bool
 rnd_trylock_sources(void)
 	KASSERT(E->stage == ENTROPY_COLD || mutex_owned(&E->lock));
 	if (E->sourcelock)
 		return false;
 	E->sourcelock = curlwp;
 	return true;
 /*
  * rnd_unlock_sources()
+ *
- *	Unlock the list of sources after rnd_lock_sources or
+ *	Unlock the list of sources after rnd_lock_sources.  Caller must
- *	rnd_trylock_sources.  Caller must hold the global entropy lock.
+ *	hold the global entropy lock.
  */
 static void
 rnd_unlock_sources(void)
+{
 	KASSERT(E->stage == ENTROPY_COLD || mutex_owned(&E->lock));
 	KASSERTMSG(E->sourcelock == curlwp, "lwp %p releasing lock held by %p",
 	    curlwp, E->sourcelock);
 	E->sourcelock = NULL;
 	if (E->stage >= ENTROPY_WARM)
 		cv_signal(&E->sourcelock_cv);
+}
 @@ -1744,74 +1738,82 @@ rnd_unlock_sources(void)
  * rnd_sources_locked()
+ *
  *	True if we hold the list of rndsources locked, for diagnostic
  *	assertions.
  */
 static bool __diagused
 rnd_sources_locked(void)
+{
 	return E->sourcelock == curlwp;
+}
 /*
- * entropy_request(nbytes)
+ * entropy_request(nbytes, flags)
+ *
  *	Request nbytes bytes of entropy from all sources in the system.
  *	OK if we overdo it.  Caller must hold the global entropy lock;
  *	will release and re-acquire it.
+ *
  *	If flags & ENTROPY_WAIT, wait for concurrent access to finish.
  *	If flags & ENTROPY_SIG, allow interruption by signal.
  */
-static void
+static int
-entropy_request(size_t nbytes)
+entropy_request(size_t nbytes, int flags)
+{
 	struct krndsource *rs;
 	int error;
 	KASSERT(E->stage == ENTROPY_COLD || mutex_owned(&E->lock));
 	if (flags & ENTROPY_WAIT)
 		ASSERT_SLEEPABLE();
 	/*
-	 * If there is a request in progress, let it proceed.
+	 * Lock the list of entropy sources to block rnd_detach_source
-	 * Otherwise, note that a request is in progress to avoid
+	 * until we're done, and to serialize calls to the entropy
-	 * reentry and to block rnd_detach_source until we're done.
+	 * callbacks as guaranteed to drivers.
 	 */
-	if (!rnd_trylock_sources())
+	error = rnd_lock_sources(flags);
-		return;
+	if (error)
 		return error;
 	entropy_request_evcnt.ev_count++;
 	/* Clamp to the maximum reasonable request.  */
 	nbytes = MIN(nbytes, ENTROPY_CAPACITY);
 	/* Walk the list of sources.  */
 	LIST_FOREACH(rs, &E->sources, list) {
 		/* Skip sources without callbacks.  */
 		if (!ISSET(rs->flags, RND_FLAG_HASCB))
 			continue;
 		/*
 		 * Skip sources that are disabled altogether -- we
 		 * would just ignore their samples anyway.
 		 */
 		if (ISSET(rs->flags, RND_FLAG_NO_COLLECT))
 			continue;
 		/* Drop the lock while we call the callback.  */
 		if (E->stage >= ENTROPY_WARM)
 			mutex_exit(&E->lock);
 		(*rs->get)(nbytes, rs->getarg);
 		if (E->stage >= ENTROPY_WARM)
 			mutex_enter(&E->lock);
+	}
-	/* Notify rnd_detach_source that the request is done.  */
+	/* Request done; unlock the list of entropy sources.  */
 	rnd_unlock_sources();
 	return 0;
+}
 /*
  * rnd_add_uint32(rs, value)
+ *
  *	Enter 32 bits of data from an entropy source into the pool.
+ *
  *	If rs is NULL, may not be called from interrupt context.
+ *
  *	If rs is non-NULL, may be called from any context.  May drop
  *	data if called from interrupt context.
  */
 void
 @@ -2198,27 +2200,27 @@ entropy_ioctl(unsigned long cmd, void *d
 		uint32_t start = 0, i = 0;
 		/* Skip if none requested; fail if too many requested.  */
 		if (stat->count == 0)
 			break;
 		if (stat->count > RND_MAXSTATCOUNT)
 			return EINVAL;
 		/*
 		 * Under the lock, find the first one, copy out as many
 		 * as requested, and report how many we copied out.
 		 */
 		mutex_enter(&E->lock);
-		error = rnd_lock_sources();
+		error = rnd_lock_sources(ENTROPY_WAIT|ENTROPY_SIG);
 		if (error) {
 			mutex_exit(&E->lock);
 			return error;
+		}
 		LIST_FOREACH(rs, &E->sources, list) {
 			if (start++ == stat->start)
 				break;
+		}
 		while (i < stat->count && rs != NULL) {
 			mutex_exit(&E->lock);
 			rndsource_to_user(rs, &stat->source[i++]);
 			mutex_enter(&E->lock);
 			rs = LIST_NEXT(rs, list);
 @@ -2234,27 +2236,27 @@ entropy_ioctl(unsigned long cmd, void *d
 		uint32_t start = 0, i = 0;
 		/* Skip if none requested; fail if too many requested.  */
 		if (estat->count == 0)
 			break;
 		if (estat->count > RND_MAXSTATCOUNT)
 			return EINVAL;
 		/*
 		 * Under the lock, find the first one, copy out as many
 		 * as requested, and report how many we copied out.
 		 */
 		mutex_enter(&E->lock);
-		error = rnd_lock_sources();
+		error = rnd_lock_sources(ENTROPY_WAIT|ENTROPY_SIG);
 		if (error) {
 			mutex_exit(&E->lock);
 			return error;
+		}
 		LIST_FOREACH(rs, &E->sources, list) {
 			if (start++ == estat->start)
 				break;
+		}
 		while (i < estat->count && rs != NULL) {
 			mutex_exit(&E->lock);
 			rndsource_to_user_est(rs, &estat->source[i++]);
 			mutex_enter(&E->lock);
 			rs = LIST_NEXT(rs, list);
 @@ -2266,27 +2268,27 @@ entropy_ioctl(unsigned long cmd, void *d
 		break;
+	}
 	case RNDGETSRCNAME: {	/* Get entropy sources by name.  */
 		rndstat_name_t *nstat = data;
 		const size_t n = sizeof(rs->name);
 		CTASSERT(sizeof(rs->name) == sizeof(nstat->name));
 		/*
 		 * Under the lock, search by name.  If found, copy it
 		 * out; if not found, fail with ENOENT.
 		 */
 		mutex_enter(&E->lock);
-		error = rnd_lock_sources();
+		error = rnd_lock_sources(ENTROPY_WAIT|ENTROPY_SIG);
 		if (error) {
 			mutex_exit(&E->lock);
 			return error;
+		}
 		LIST_FOREACH(rs, &E->sources, list) {
 			if (strncmp(rs->name, nstat->name, n) == 0)
 				break;
+		}
 		if (rs != NULL) {
 			mutex_exit(&E->lock);
 			rndsource_to_user(rs, &nstat->source);
 			mutex_enter(&E->lock);
 		} else {
 @@ -2297,27 +2299,27 @@ entropy_ioctl(unsigned long cmd, void *d
 		break;
+	}
 	case RNDGETESTNAME: {	/* Get sources and estimates by name.  */
 		rndstat_est_name_t *enstat = data;
 		const size_t n = sizeof(rs->name);
 		CTASSERT(sizeof(rs->name) == sizeof(enstat->name));
 		/*
 		 * Under the lock, search by name.  If found, copy it
 		 * out; if not found, fail with ENOENT.
 		 */
 		mutex_enter(&E->lock);
-		error = rnd_lock_sources();
+		error = rnd_lock_sources(ENTROPY_WAIT|ENTROPY_SIG);
 		if (error) {
 			mutex_exit(&E->lock);
 			return error;
+		}
 		LIST_FOREACH(rs, &E->sources, list) {
 			if (strncmp(rs->name, enstat->name, n) == 0)
 				break;
+		}
 		if (rs != NULL) {
 			mutex_exit(&E->lock);
 			rndsource_to_user_est(rs, &enstat->source);
 			mutex_enter(&E->lock);
 		} else {
 @@ -2371,30 +2373,36 @@ entropy_ioctl(unsigned long cmd, void *d
 			xc_broadcast(0, &entropy_reset_xc, NULL, NULL);
 			mutex_enter(&E->lock);
 			E->pending = 0;
 			atomic_store_relaxed(&E->needed,
 			    ENTROPY_CAPACITY*NBBY);
 			mutex_exit(&E->lock);
+		}
 		/*
 		 * If we changed any of the estimation or collection
 		 * flags, request new samples from everyone -- either
 		 * to make up for what we just lost, or to get new
 		 * samples from what we just added.
+		 *
 		 * Failing on signal, while waiting for another process
 		 * to finish requesting entropy, is OK here even though
 		 * we have committed side effects, because this ioctl
 		 * command is idempotent, so repeating it is safe.
 		 */
 		if (request) {
 			mutex_enter(&E->lock);
-			entropy_request(ENTROPY_CAPACITY);
+			error = entropy_request(ENTROPY_CAPACITY,
 			    ENTROPY_WAIT|ENTROPY_SIG);
 			mutex_exit(&E->lock);
+		}
 		break;
+	}
 	case RNDADDDATA: {	/* Enter seed into entropy pool.  */
 		rnddata_t *rdata = data;
 		unsigned entropybits = 0;
 		if (!atomic_load_relaxed(&entropy_collection))
 			break;	/* thanks but no thanks */
 		if (rdata->len > MIN(sizeof(rdata->data), UINT32_MAX/NBBY))
 			return EINVAL;