From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E2690C10F03 for ; Wed, 13 Mar 2019 05:15:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B0640218A3 for ; Wed, 13 Mar 2019 05:15:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1552454136; bh=vHRu0W9KwUGaloXhGjaFpSkQdr99+L7HhU0sp5EPj+s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=k8kwXcvWiVJyB7VJaeXLZEC//x+yRuq7s1BviOnaakVyR32mQXPuf5mh0mQmW8+yW bIrYZVfnX5MWU5JHd89Wnt/bCHJj7rEZjlMLsUgjTEDmRXZq16QFAYbDrT0tWX3s/d SPHhrwnOoDkuU2/p5voi18JNeCozulr77iB1P82o= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726184AbfCMFPf (ORCPT ); Wed, 13 Mar 2019 01:15:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:50104 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726043AbfCMFPf (ORCPT ); Wed, 13 Mar 2019 01:15:35 -0400 Received: from sol.localdomain (c-107-3-167-184.hsd1.ca.comcast.net [107.3.167.184]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 464F82183E; Wed, 13 Mar 2019 05:15:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1552454134; bh=vHRu0W9KwUGaloXhGjaFpSkQdr99+L7HhU0sp5EPj+s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qU1LRDFUW97TFZ1BeNbXj7hLZ9eyZr7HZRg6/2fXtXeYvSmqalfxeUwvQchaDg8CP QE0cxQGVVLQUvjAzptDVmZwrW9dpBZj6Xt+rYEu5CIhleXDDBoKZCwKF0f6IOQmms+ V6Sd/9yMLMJ1ByU/RfNLGZs1HfSDN9e2/5jvLomc= From: Eric Biggers To: linux-crypto@vger.kernel.org, Herbert Xu Cc: Ard Biesheuvel , linux-arm-kernel@lists.infradead.org, x86@kernel.org Subject: [PATCH 1/8] crypto: chacha-generic - fix use as arm64 no-NEON fallback Date: Tue, 12 Mar 2019 22:12:45 -0700 Message-Id: <20190313051252.2917-2-ebiggers@kernel.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190313051252.2917-1-ebiggers@kernel.org> References: <20190313051252.2917-1-ebiggers@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Eric Biggers The arm64 implementations of ChaCha and XChaCha are failing the extra crypto self-tests following my patches to test the !may_use_simd() code paths, which previously were untested. The problem is as follows: When !may_use_simd(), the arm64 NEON implementations fall back to the generic implementation, which uses the skcipher_walk API to iterate through the src/dst scatterlists. Due to how the skcipher_walk API works, walk.stride is set from the skcipher_alg actually being used, which in this case is the arm64 NEON algorithm. Thus walk.stride is 5*CHACHA_BLOCK_SIZE, not CHACHA_BLOCK_SIZE. This unnecessarily large stride shouldn't cause an actual problem. However, the generic implementation computes round_down(nbytes, walk.stride). round_down() assumes the round amount is a power of 2, which 5*CHACHA_BLOCK_SIZE is not, so it gives the wrong result. This causes the following case in skcipher_walk_done() to be hit, causing a WARN() and failing the encryption operation: if (WARN_ON(err)) { /* unexpected case; didn't process all bytes */ err = -EINVAL; goto finish; } Fix it by rounding down to CHACHA_BLOCK_SIZE instead of walk.stride. (Or we could replace round_down() with rounddown(), but that would add a slow division operation every time, which I think we should avoid.) Fixes: 2fe55987b262 ("crypto: arm64/chacha - use combined SIMD/ALU routine for more speed") Cc: # v5.0+ Signed-off-by: Eric Biggers --- crypto/chacha_generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/chacha_generic.c b/crypto/chacha_generic.c index 35b583101f4f..90ec0ec1b4f7 100644 --- a/crypto/chacha_generic.c +++ b/crypto/chacha_generic.c @@ -52,7 +52,7 @@ static int chacha_stream_xor(struct skcipher_request *req, unsigned int nbytes = walk.nbytes; if (nbytes < walk.total) - nbytes = round_down(nbytes, walk.stride); + nbytes = round_down(nbytes, CHACHA_BLOCK_SIZE); chacha_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr, nbytes, ctx->nrounds); -- 2.21.0 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS, URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6259C43381 for ; Wed, 13 Mar 2019 10:21:39 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B3DBB2087C for ; Wed, 13 Mar 2019 10:21:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="WtJWyDb4"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="Rz9m2M6Y"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="qU1LRDFU" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B3DBB2087C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=JaSDUPgMfLozNnMViMaUaaoBKyMg2XPcYMIvpNtvEgE=; b=WtJWyDb4lS+Jo9 sw7gSD8Gjy6n/MZdmrhnRNz/ODbzk/LU6T2+52ehMCbiLGavje+cdpm5Bgb4cKukIi4F7vFJhIzhO eVWgPybHszl3I3IrPaPoBIdDxjsDo3yLz18s7bR8O3wwPu4uIctJgK9WVyZi7vOcWkBXKb11+nOtN pk+ZRqDGBPwqR+JJLY9CDdVfFYTXRjB22UxkFtlhphfStTxffNYrXdKHQZXxWTQ3sZLQhM/bViKQY PrGoqscU2ZSjMsWdBq080xUQhlS0WTSRw+ecLO6As1xeccZDuDkX48cWpesQNBmvbrxps0SxVpdcf Au/51p6XrbWWY8to9tMQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1h410u-00008W-7q; Wed, 13 Mar 2019 10:21:32 +0000 Received: from casper.infradead.org ([85.118.1.10]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1h40q1-0006u1-0E for linux-arm-kernel@bombadil.infradead.org; Wed, 13 Mar 2019 10:10:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=tOJ6oOSFJXn5CmW8ZPjal4mQE7TcFL/HZYlZHC8BjG8=; b=Rz9m2M6YidH8jQOupLyrAOAyow 7yge+ZYl/zCnzTcjJdzeTmZ9P+5/eSHvF3CKWBt/UR0TzCUgqNDJMoyDp2y+0kAZkZkR1FsJ9bw8X 2a5CHigI/qZNBylLdo0KJSWGXL1597XB54cH5krqQ7+nTA30a/EaVuPGZ93XQoIxkW+Dyf2dhUJdc Uxe1ohFCzfPvZiP00zkbCszX+yISwHpL/82IzsTE0ikSigZCKu/tYLHBgmAzojZK2QFJHA57448FG NY0zHiOYFK50Z7adhWl+oASo9cyrpk+JqdqkUPrOxKfFZ0bhn97lL8u71hydfBRMlKqL7wh56772I UfmJAsew==; Received: from mail.kernel.org ([198.145.29.99]) by casper.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1h3wH9-0002zF-7g for linux-arm-kernel@lists.infradead.org; Wed, 13 Mar 2019 05:18:00 +0000 Received: from sol.localdomain (c-107-3-167-184.hsd1.ca.comcast.net [107.3.167.184]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 464F82183E; Wed, 13 Mar 2019 05:15:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1552454134; bh=vHRu0W9KwUGaloXhGjaFpSkQdr99+L7HhU0sp5EPj+s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qU1LRDFUW97TFZ1BeNbXj7hLZ9eyZr7HZRg6/2fXtXeYvSmqalfxeUwvQchaDg8CP QE0cxQGVVLQUvjAzptDVmZwrW9dpBZj6Xt+rYEu5CIhleXDDBoKZCwKF0f6IOQmms+ V6Sd/9yMLMJ1ByU/RfNLGZs1HfSDN9e2/5jvLomc= From: Eric Biggers To: linux-crypto@vger.kernel.org, Herbert Xu Subject: [PATCH 1/8] crypto: chacha-generic - fix use as arm64 no-NEON fallback Date: Tue, 12 Mar 2019 22:12:45 -0700 Message-Id: <20190313051252.2917-2-ebiggers@kernel.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190313051252.2917-1-ebiggers@kernel.org> References: <20190313051252.2917-1-ebiggers@kernel.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190313_051759_416228_AB90A3D3 X-CRM114-Status: GOOD ( 17.66 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: x86@kernel.org, linux-arm-kernel@lists.infradead.org, Ard Biesheuvel Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org From: Eric Biggers The arm64 implementations of ChaCha and XChaCha are failing the extra crypto self-tests following my patches to test the !may_use_simd() code paths, which previously were untested. The problem is as follows: When !may_use_simd(), the arm64 NEON implementations fall back to the generic implementation, which uses the skcipher_walk API to iterate through the src/dst scatterlists. Due to how the skcipher_walk API works, walk.stride is set from the skcipher_alg actually being used, which in this case is the arm64 NEON algorithm. Thus walk.stride is 5*CHACHA_BLOCK_SIZE, not CHACHA_BLOCK_SIZE. This unnecessarily large stride shouldn't cause an actual problem. However, the generic implementation computes round_down(nbytes, walk.stride). round_down() assumes the round amount is a power of 2, which 5*CHACHA_BLOCK_SIZE is not, so it gives the wrong result. This causes the following case in skcipher_walk_done() to be hit, causing a WARN() and failing the encryption operation: if (WARN_ON(err)) { /* unexpected case; didn't process all bytes */ err = -EINVAL; goto finish; } Fix it by rounding down to CHACHA_BLOCK_SIZE instead of walk.stride. (Or we could replace round_down() with rounddown(), but that would add a slow division operation every time, which I think we should avoid.) Fixes: 2fe55987b262 ("crypto: arm64/chacha - use combined SIMD/ALU routine for more speed") Cc: # v5.0+ Signed-off-by: Eric Biggers --- crypto/chacha_generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/chacha_generic.c b/crypto/chacha_generic.c index 35b583101f4f..90ec0ec1b4f7 100644 --- a/crypto/chacha_generic.c +++ b/crypto/chacha_generic.c @@ -52,7 +52,7 @@ static int chacha_stream_xor(struct skcipher_request *req, unsigned int nbytes = walk.nbytes; if (nbytes < walk.total) - nbytes = round_down(nbytes, walk.stride); + nbytes = round_down(nbytes, CHACHA_BLOCK_SIZE); chacha_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr, nbytes, ctx->nrounds); -- 2.21.0 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel