* CI found regression in s390 paes-ctr in linux-next
@ 2025-05-14 13:38 Harald Freudenberger
2025-05-15 2:09 ` Herbert Xu
2025-05-16 7:37 ` Harald Freudenberger
0 siblings, 2 replies; 5+ messages in thread
From: Harald Freudenberger @ 2025-05-14 13:38 UTC (permalink / raw)
To: Eric Biggers; +Cc: Herbert Xu, Ingo Franzki, Holger Dengler, linux-crypto
The nightly CI run stumbled over an selftest failure for the paes ctr
algorithm in the linux next kernel.
With commit
698de822780f crypto: testmgr - make it easier to enable the full set of
tests
the "Enable extra run-time crypto self tests" are always enabled and
there is no way to disable
these tests via kernel config any more.
However, the paes-ctr selftest now fails with these extra tests.
We could have seen this already when we would have enabled these
additional test - however, we didn't.
Investigating...
have a nice day
Harald Freudenberger
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: CI found regression in s390 paes-ctr in linux-next
2025-05-14 13:38 CI found regression in s390 paes-ctr in linux-next Harald Freudenberger
@ 2025-05-15 2:09 ` Herbert Xu
2025-05-15 2:47 ` Herbert Xu
2025-05-16 7:37 ` Harald Freudenberger
1 sibling, 1 reply; 5+ messages in thread
From: Herbert Xu @ 2025-05-15 2:09 UTC (permalink / raw)
To: Harald Freudenberger
Cc: Eric Biggers, Ingo Franzki, Holger Dengler, linux-crypto
On Wed, May 14, 2025 at 03:38:36PM +0200, Harald Freudenberger wrote:
> The nightly CI run stumbled over an selftest failure for the paes ctr
> algorithm in the linux next kernel.
That's strange. AFAIK paes shouldn't even be tested. Can you
show me what the error looks like?
Thanks,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: CI found regression in s390 paes-ctr in linux-next
2025-05-15 2:09 ` Herbert Xu
@ 2025-05-15 2:47 ` Herbert Xu
0 siblings, 0 replies; 5+ messages in thread
From: Herbert Xu @ 2025-05-15 2:47 UTC (permalink / raw)
To: Harald Freudenberger
Cc: Eric Biggers, Ingo Franzki, Holger Dengler, linux-crypto
On Thu, May 15, 2025 at 10:09:08AM +0800, Herbert Xu wrote:
>
> That's strange. AFAIK paes shouldn't even be tested. Can you
> show me what the error looks like?
Oh I had forgotten that we have the special code that turns normal
test vectors into paes test vectors.
I guess we just never ran the extra fuzz tests on paes and now
it's discovering real bugs. So it's all working as intended :)
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: CI found regression in s390 paes-ctr in linux-next
2025-05-14 13:38 CI found regression in s390 paes-ctr in linux-next Harald Freudenberger
2025-05-15 2:09 ` Herbert Xu
@ 2025-05-16 7:37 ` Harald Freudenberger
2025-05-16 7:47 ` Herbert Xu
1 sibling, 1 reply; 5+ messages in thread
From: Harald Freudenberger @ 2025-05-16 7:37 UTC (permalink / raw)
To: Herbert Xu; +Cc: Ingo Franzki, Holger Dengler, linux-crypto, Eric Biggers
On 2025-05-14 15:38, Harald Freudenberger wrote:
> The nightly CI run stumbled over an selftest failure for the paes ctr
> algorithm in the linux next kernel.
> With commit
> 698de822780f crypto: testmgr - make it easier to enable the full set of
> tests
> the "Enable extra run-time crypto self tests" are always enabled and
> there is no way to disable
> these tests via kernel config any more.
> However, the paes-ctr selftest now fails with these extra tests.
> We could have seen this already when we would have enabled these
> additional test - however, we didn't.
>
> Investigating...
>
> have a nice day
> Harald Freudenberger
I've appended a fix for this finding. However, as the reworked PAES is
already on the way in the s390
feature branch and will be merged into the next kernel merge window,
there is no need to apply this
fix to the upstream kernel. Maybe for stable kernels the fix should be
integrated.
---------- cut here
----------------------------------------------------------------------------
From 8d20802095ee6c9855112fa5201d253874b49240 Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.ibm.com>
Date: Thu, 15 May 2025 17:19:08 +0200
Subject: [PATCH] s390/crypto: Fix extended selftest finding with paes
ctr mode
With enabling the extended crypto selftests there occurs a
failure for protected key aes with counter mode:
kernel: alg: skcipher: ctr-paes-s390 encryption failed on test vector
4; expected_error=0, actual_error=-22, cfg="random:
inplace_one_sglist use_final nosimd src_divs=[<reimport>50.0%@+4,
<flush,nosimd>48.1%>
kernel: alg: self-tests for ctr(paes) using ctr-paes-s390 failed
(rc=-22)
kernel: ------------[ cut here ]------------
kernel: alg: self-tests for ctr(paes) using ctr-paes-s390 failed
(rc=-22)
kernel: WARNING: CPU: 10 PID: 4928 at crypto/testmgr.c:5808
alg_test+0x530/0x660
kernel: Modules linked in: paes_s390 kvm mlx5_ib ib_uverbs ib_core
mlx5_vdpa vdpa vringh vhost_iotlb nft_fib_inet nft_fib_ipv4
nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6
nft_reject nf>
kernel: CPU: 10 UID: 0 PID: 4928 Comm: cryptomgr_test Not tainted
6.15.0-hf-next-20250514 #1 PREEMPT
kernel: Hardware name: IBM 9175 ME1 705 (LPAR)
kernel: Krnl PSW : 0704d00180000000 000002c28b5d0e74
(alg_test+0x534/0x660)
kernel: R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0
RI:0 EA:3
kernel: Krnl GPRS: 000002c280000001 0000000000000002 0000000000000041
0000000000000000
kernel: 0000000000000002 0000024280000002 ffffffffffffffea
000002c28b5d06c0
kernel: 000002c2ffffffea 000001ba4cacca80 0000000000000005
000001ba4cacca00
kernel: 000001ba23278100 000002c28c284538 000002c28b5d0e70
000002429b16fca0
kernel: Krnl Code: 000002c28b5d0e64: c020005fae5c larl
%r2,000002c28c1c6b1c
000002c28b5d0e6a: c0e5ffad3e73 brasl
%r14,000002c28ab78b50
#000002c28b5d0e70: af000000 mc 0,0
>000002c28b5d0e74: a7f4fe17 brc
15,000002c28b5d0aa2
000002c28b5d0e78: ec51000100d8 ahik %r5,%r1,1
000002c28b5d0e7e: a7f4ff6a brc
15,000002c28b5d0d52
000002c28b5d0e82: a768ffff lhi %r6,-1
000002c28b5d0e86: a7f4fdb2 brc
15,000002c28b5d09ea
kernel: Call Trace:
kernel: [<000002c28b5d0e74>] alg_test+0x534/0x660
kernel: ([<000002c28b5d0e70>] alg_test+0x530/0x660)
kernel: [<000002c28b5c9064>] cryptomgr_test+0x34/0x60
kernel: [<000002c28abb2254>] kthread+0x164/0x2d0
kernel: [<000002c28ab1d4c0>] __ret_from_fork+0x40/0x2f0
kernel: [<000002c28bc98c3a>] ret_from_fork+0xa/0x30
kernel: INFO: lockdep is turned off.
kernel: Last Breaking-Event-Address:
kernel: [<000002c28ab78c94>] __warn_printk+0x144/0x150
kernel: irq event stamp: 0
kernel: hardirqs last enabled at (0): [<0000000000000000>] 0x0
kernel: hardirqs last disabled at (0): [<000002c28ab76ce0>]
copy_process+0x8b0/0x18c0
kernel: softirqs last enabled at (0): [<000002c28ab76ce0>]
copy_process+0x8b0/0x18c0
kernel: softirqs last disabled at (0): [<0000000000000000>] 0x0
kernel: ---[ end trace 0000000000000000 ]---
Investigation reveals that skcipher_walk_done() returns -22 (EINVAL)
caused by a wrong bytes-remaining argument. This only happens when
the very last block of the en/decrypt operation is not AES_BLOCK_SIZE
padded.
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
arch/s390/crypto/paes_s390.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/s390/crypto/paes_s390.c b/arch/s390/crypto/paes_s390.c
index 511093713a6f..8e92a7710294 100644
--- a/arch/s390/crypto/paes_s390.c
+++ b/arch/s390/crypto/paes_s390.c
@@ -874,7 +874,7 @@ static int ctr_paes_crypt(struct skcipher_request
*req)
}
memcpy(walk.dst.virt.addr, buf, nbytes);
crypto_inc(walk.iv, AES_BLOCK_SIZE);
- rc = skcipher_walk_done(&walk, nbytes);
+ rc = skcipher_walk_done(&walk, 0);
}
return rc;
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: CI found regression in s390 paes-ctr in linux-next
2025-05-16 7:37 ` Harald Freudenberger
@ 2025-05-16 7:47 ` Herbert Xu
0 siblings, 0 replies; 5+ messages in thread
From: Herbert Xu @ 2025-05-16 7:47 UTC (permalink / raw)
To: Harald Freudenberger
Cc: Ingo Franzki, Holger Dengler, linux-crypto, Eric Biggers
On Fri, May 16, 2025 at 09:37:59AM +0200, Harald Freudenberger wrote:
>
> I've appended a fix for this finding. However, as the reworked PAES is
> already on the way in the s390
> feature branch and will be merged into the next kernel merge window, there
> is no need to apply this
> fix to the upstream kernel. Maybe for stable kernels the fix should be
> integrated.
Good catch! This should probably go into 6.15 as well as stable.
> diff --git a/arch/s390/crypto/paes_s390.c b/arch/s390/crypto/paes_s390.c
> index 511093713a6f..8e92a7710294 100644
> --- a/arch/s390/crypto/paes_s390.c
> +++ b/arch/s390/crypto/paes_s390.c
> @@ -874,7 +874,7 @@ static int ctr_paes_crypt(struct skcipher_request *req)
> }
> memcpy(walk.dst.virt.addr, buf, nbytes);
> crypto_inc(walk.iv, AES_BLOCK_SIZE);
> - rc = skcipher_walk_done(&walk, nbytes);
> + rc = skcipher_walk_done(&walk, 0);
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Thanks,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-05-16 7:47 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-14 13:38 CI found regression in s390 paes-ctr in linux-next Harald Freudenberger
2025-05-15 2:09 ` Herbert Xu
2025-05-15 2:47 ` Herbert Xu
2025-05-16 7:37 ` Harald Freudenberger
2025-05-16 7:47 ` Herbert Xu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox