* [PATCH] crypto: algif_skcipher - snapshot IV for async skcipher requests [not found] <agp9Hc71Z3lGF_zu@gondor.apana.org.au> @ 2026-05-18 23:35 ` Max Clinton 2026-05-29 5:13 ` Herbert Xu 2026-06-01 19:29 ` [PATCH v2] " Max Clinton 0 siblings, 2 replies; 4+ messages in thread From: Max Clinton @ 2026-05-18 23:35 UTC (permalink / raw) To: linux-crypto Cc: linux-kernel, herbert, gregkh, davem, security, stable, Max Clinton AF_ALG skcipher AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the original request has fully completed, which can lead to inconsistent IV handling. Snapshot the IV into per-request storage when preparing the skcipher request, so in-flight operations no longer depend on mutable socket state. This mirrors the algif_aead fix from commit 5aa58c3a572b ("crypto: algif_aead - snapshot IV for async AEAD requests"), which addressed the same shape of bug in the AEAD sibling subsystem. Tested on Debian Trixie 6.12.74+deb13+1-amd64 (unpatched) and on v6.12.86 + this patch via virtme-ng on the same host. Reproducer results: 10-14% race rate over 50000 iterations on the unpatched kernel against cryptd(cbc(aes-generic)); 0 races at 50000 and 200000 iterations on the patched kernel; 0 races at 200000 iterations on the unpatched kernel with the synchronous cbc(aes-generic) driver as a control case (confirming the race is gated on the async dispatch path). Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management") Cc: stable@kernel.org Reported-by: Max Clinton <maxtclinton@gmail.com> Signed-off-by: Max Clinton <maxtclinton@gmail.com> --- crypto/algif_skcipher.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index ba0a17fd9..519ff8d17 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -23,6 +23,7 @@ * the RX SGL release. */ +#include <crypto/internal/skcipher.h> #include <crypto/scatterwalk.h> #include <crypto/skcipher.h> #include <crypto/if_alg.h> @@ -103,9 +104,11 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, struct af_alg_ctx *ctx = ask->private; struct crypto_skcipher *tfm = pask->private; unsigned int bs = crypto_skcipher_chunksize(tfm); + unsigned int ivsize = crypto_skcipher_ivsize(tfm); struct af_alg_async_req *areq; unsigned cflags = 0; int err = 0; + void *iv; size_t len = 0; if (!ctx->init || (ctx->more && ctx->used < bs)) { @@ -116,10 +119,14 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, /* Allocate cipher request for current operation. */ areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) + - crypto_skcipher_reqsize(tfm)); + crypto_skcipher_reqsize(tfm) + ivsize); if (IS_ERR(areq)) return PTR_ERR(areq); + iv = (u8 *)skcipher_request_ctx(&areq->cra_u.skcipher_req) + + crypto_skcipher_reqsize(tfm); + memcpy(iv, ctx->iv, ivsize); + /* convert iovecs of output buffers into RX SGL */ err = af_alg_get_rsgl(sk, msg, flags, areq, ctx->used, &len); if (err) @@ -159,7 +166,7 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, /* Initialize the crypto operation */ skcipher_request_set_tfm(&areq->cra_u.skcipher_req, tfm); skcipher_request_set_crypt(&areq->cra_u.skcipher_req, areq->tsgl, - areq->first_rsgl.sgl.sgt.sgl, len, ctx->iv); + areq->first_rsgl.sgl.sgt.sgl, len, iv); if (ctx->state) { err = crypto_skcipher_import(&areq->cra_u.skcipher_req, -- 2.47.3 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] crypto: algif_skcipher - snapshot IV for async skcipher requests 2026-05-18 23:35 ` [PATCH] crypto: algif_skcipher - snapshot IV for async skcipher requests Max Clinton @ 2026-05-29 5:13 ` Herbert Xu 2026-06-01 19:29 ` [PATCH v2] " Max Clinton 1 sibling, 0 replies; 4+ messages in thread From: Herbert Xu @ 2026-05-29 5:13 UTC (permalink / raw) To: Max Clinton; +Cc: linux-crypto, linux-kernel, gregkh, davem, security, stable On Mon, May 18, 2026 at 07:35:39PM -0400, Max Clinton wrote: > > diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c > index ba0a17fd9..519ff8d17 100644 > --- a/crypto/algif_skcipher.c > +++ b/crypto/algif_skcipher.c > @@ -23,6 +23,7 @@ > * the RX SGL release. > */ > > +#include <crypto/internal/skcipher.h> There is no need for the internal header. > @@ -116,10 +119,14 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, > > /* Allocate cipher request for current operation. */ > areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) + > - crypto_skcipher_reqsize(tfm)); > + crypto_skcipher_reqsize(tfm) + ivsize); > if (IS_ERR(areq)) > return PTR_ERR(areq); > > + iv = (u8 *)skcipher_request_ctx(&areq->cra_u.skcipher_req) + > + crypto_skcipher_reqsize(tfm); You can rewrite this as iv = (u8 *)(areq + 1) + crypto_skcipher_reqsize(tfm); Thanks, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2] crypto: algif_skcipher - snapshot IV for async skcipher requests 2026-05-18 23:35 ` [PATCH] crypto: algif_skcipher - snapshot IV for async skcipher requests Max Clinton 2026-05-29 5:13 ` Herbert Xu @ 2026-06-01 19:29 ` Max Clinton 2026-06-11 5:19 ` Herbert Xu 1 sibling, 1 reply; 4+ messages in thread From: Max Clinton @ 2026-06-01 19:29 UTC (permalink / raw) To: linux-crypto Cc: linux-kernel, herbert, gregkh, davem, security, stable, Max Clinton AF_ALG skcipher AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the original request has fully completed, which can lead to inconsistent IV handling. Snapshot the IV into per-request storage when preparing the skcipher request, so in-flight operations no longer depend on mutable socket state. This mirrors the algif_aead fix from commit 5aa58c3a572b ("crypto: algif_aead - snapshot IV for async AEAD requests"), which addressed the same shape of bug in the AEAD sibling subsystem. Tested on Debian Trixie 6.12.74+deb13+1-amd64 (unpatched) and on v6.12.86 + this patch via virtme-ng on the same host. Reproducer results: 10-14% race rate over 50000 iterations on the unpatched kernel against cryptd(cbc(aes-generic)); 0 races at 50000 and 200000 iterations on the patched kernel; 0 races at 200000 iterations on the unpatched kernel with the synchronous cbc(aes-generic) driver as a control case (confirming the race is gated on the async dispatch path). Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management") Cc: stable@kernel.org Suggested-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Max Clinton <maxtclinton@gmail.com> --- Changes since v1: - Drop unneeded <crypto/internal/skcipher.h> include (Herbert). - Rewrite iv pointer computation as (areq + 1) + reqsize per Herbert's suggestion. crypto/algif_skcipher.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index ba0a17fd9..5b5bc1204 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -103,9 +103,11 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, struct af_alg_ctx *ctx = ask->private; struct crypto_skcipher *tfm = pask->private; unsigned int bs = crypto_skcipher_chunksize(tfm); + unsigned int ivsize = crypto_skcipher_ivsize(tfm); struct af_alg_async_req *areq; unsigned cflags = 0; int err = 0; + void *iv; size_t len = 0; if (!ctx->init || (ctx->more && ctx->used < bs)) { @@ -116,10 +118,13 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, /* Allocate cipher request for current operation. */ areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) + - crypto_skcipher_reqsize(tfm)); + crypto_skcipher_reqsize(tfm) + ivsize); if (IS_ERR(areq)) return PTR_ERR(areq); + iv = (u8 *)(areq + 1) + crypto_skcipher_reqsize(tfm); + memcpy(iv, ctx->iv, ivsize); + /* convert iovecs of output buffers into RX SGL */ err = af_alg_get_rsgl(sk, msg, flags, areq, ctx->used, &len); if (err) @@ -159,7 +164,7 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, /* Initialize the crypto operation */ skcipher_request_set_tfm(&areq->cra_u.skcipher_req, tfm); skcipher_request_set_crypt(&areq->cra_u.skcipher_req, areq->tsgl, - areq->first_rsgl.sgl.sgt.sgl, len, ctx->iv); + areq->first_rsgl.sgl.sgt.sgl, len, iv); if (ctx->state) { err = crypto_skcipher_import(&areq->cra_u.skcipher_req, -- 2.47.3 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2] crypto: algif_skcipher - snapshot IV for async skcipher requests 2026-06-01 19:29 ` [PATCH v2] " Max Clinton @ 2026-06-11 5:19 ` Herbert Xu 0 siblings, 0 replies; 4+ messages in thread From: Herbert Xu @ 2026-06-11 5:19 UTC (permalink / raw) To: Max Clinton; +Cc: linux-crypto, linux-kernel, gregkh, davem, security, stable On Mon, Jun 01, 2026 at 03:29:27PM -0400, Max Clinton wrote: > AF_ALG skcipher AIO requests currently use the socket-wide IV buffer > during request processing. For async requests, later socket activity > can update that shared state before the original request has fully > completed, which can lead to inconsistent IV handling. > > Snapshot the IV into per-request storage when preparing the skcipher > request, so in-flight operations no longer depend on mutable socket > state. > > This mirrors the algif_aead fix from commit 5aa58c3a572b ("crypto: > algif_aead - snapshot IV for async AEAD requests"), which addressed > the same shape of bug in the AEAD sibling subsystem. > > Tested on Debian Trixie 6.12.74+deb13+1-amd64 (unpatched) and on > v6.12.86 + this patch via virtme-ng on the same host. Reproducer > results: 10-14% race rate over 50000 iterations on the unpatched > kernel against cryptd(cbc(aes-generic)); 0 races at 50000 and > 200000 iterations on the patched kernel; 0 races at 200000 > iterations on the unpatched kernel with the synchronous > cbc(aes-generic) driver as a control case (confirming the race is > gated on the async dispatch path). > > Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management") > Cc: stable@kernel.org > Suggested-by: Herbert Xu <herbert@gondor.apana.org.au> > Signed-off-by: Max Clinton <maxtclinton@gmail.com> > --- > Changes since v1: > - Drop unneeded <crypto/internal/skcipher.h> include (Herbert). > - Rewrite iv pointer computation as (areq + 1) + reqsize per > Herbert's suggestion. > > crypto/algif_skcipher.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) Given that AIO support has just been removed this patch is no longer necessary: commit fcc77d33a34cf271702e8daafb6c593e4626776d Author: Demi Marie Obenour <demiobenour@gmail.com> Date: Sat May 23 15:43:02 2026 -0400 net: Remove support for AIO on sockets Thanks, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-11 5:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <agp9Hc71Z3lGF_zu@gondor.apana.org.au>
2026-05-18 23:35 ` [PATCH] crypto: algif_skcipher - snapshot IV for async skcipher requests Max Clinton
2026-05-29 5:13 ` Herbert Xu
2026-06-01 19:29 ` [PATCH v2] " Max Clinton
2026-06-11 5:19 ` Herbert Xu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox