From: Eric Biggers <ebiggers3@gmail.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-crypto@vger.kernel.org,
Tudor-Dan Ambarus <tudor.ambarus@microchip.com>,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
Salvatore Benedetto <salvatore.benedetto@intel.com>,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
Eric Biggers <ebiggers@google.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] lib/mpi: call cond_resched() from mpi_powm() loop
Date: Fri, 10 Nov 2017 18:41:05 +0000 [thread overview]
Message-ID: <20171110184105.GA99710@gmail.com> (raw)
In-Reply-To: <20171110113729.GD26163@gondor.apana.org.au>
On Fri, Nov 10, 2017 at 10:37:30PM +1100, Herbert Xu wrote:
> On Mon, Nov 06, 2017 at 10:19:51PM -0800, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@google.com>
> >
> > On a non-preemptible kernel, if KEYCTL_DH_COMPUTE is called with the
> > largest permitted inputs (16384 bits), the kernel spends 10+ seconds
> > doing modular exponentiation in mpi_powm() without rescheduling. If all
> > threads do it, it locks up the system. Moreover, it can cause
> > rcu_sched-stall warnings.
> >
> > Notwithstanding the insanity of doing this calculation in kernel mode
> > rather than in userspace, fix it by calling cond_resched() as each bit
> > from the exponent is processed. It's still noninterruptible, but at
> > least it's preemptible now.
> >
> > Cc: stable@vger.kernel.org # v4.12+
> > Signed-off-by: Eric Biggers <ebiggers@google.com>
>
> Patch applied. Thanks.
> --
If it's not too late can you fix the stable line to be just
Cc: stable@vger.kernel.org
As Mat pointed out KEYCTL_DH_COMPUTE was actually introduced in v4.7. Also I
think the code is also reachable through RSA by adding an x509 certificate using
the "asymmetric" key type, although that appears to be limited to 4096-bit
inputs rather than 16384 bits.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers3@gmail.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-crypto@vger.kernel.org,
Tudor-Dan Ambarus <tudor.ambarus@microchip.com>,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
Salvatore Benedetto <salvatore.benedetto@intel.com>,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
Eric Biggers <ebiggers@google.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] lib/mpi: call cond_resched() from mpi_powm() loop
Date: Fri, 10 Nov 2017 10:41:05 -0800 [thread overview]
Message-ID: <20171110184105.GA99710@gmail.com> (raw)
In-Reply-To: <20171110113729.GD26163@gondor.apana.org.au>
On Fri, Nov 10, 2017 at 10:37:30PM +1100, Herbert Xu wrote:
> On Mon, Nov 06, 2017 at 10:19:51PM -0800, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@google.com>
> >
> > On a non-preemptible kernel, if KEYCTL_DH_COMPUTE is called with the
> > largest permitted inputs (16384 bits), the kernel spends 10+ seconds
> > doing modular exponentiation in mpi_powm() without rescheduling. If all
> > threads do it, it locks up the system. Moreover, it can cause
> > rcu_sched-stall warnings.
> >
> > Notwithstanding the insanity of doing this calculation in kernel mode
> > rather than in userspace, fix it by calling cond_resched() as each bit
> > from the exponent is processed. It's still noninterruptible, but at
> > least it's preemptible now.
> >
> > Cc: stable@vger.kernel.org # v4.12+
> > Signed-off-by: Eric Biggers <ebiggers@google.com>
>
> Patch applied. Thanks.
> --
If it's not too late can you fix the stable line to be just
Cc: stable@vger.kernel.org
As Mat pointed out KEYCTL_DH_COMPUTE was actually introduced in v4.7. Also I
think the code is also reachable through RSA by adding an x509 certificate using
the "asymmetric" key type, although that appears to be limited to 4096-bit
inputs rather than 16384 bits.
Eric
next prev parent reply other threads:[~2017-11-10 18:41 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-07 6:19 [PATCH] lib/mpi: call cond_resched() from mpi_powm() loop Eric Biggers
2017-11-07 6:19 ` Eric Biggers
2017-11-07 18:38 ` Mat Martineau
2017-11-07 18:38 ` Mat Martineau
2017-11-07 18:38 ` Mat Martineau
2017-11-07 22:03 ` Eric Biggers
2017-11-07 22:03 ` Eric Biggers
2017-11-10 11:37 ` Herbert Xu
2017-11-10 11:37 ` Herbert Xu
2017-11-10 18:41 ` Eric Biggers [this message]
2017-11-10 18:41 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171110184105.GA99710@gmail.com \
--to=ebiggers3@gmail.com \
--cc=ebiggers@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=salvatore.benedetto@intel.com \
--cc=stable@vger.kernel.org \
--cc=tudor.ambarus@microchip.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.