[PATCH v2] nvme-auth: update sc_c in host response

[PATCH v2] nvme-auth: update sc_c in host response

[Martin George]

The sc_c field is currently not updated in the host response to the
controller challenge leading to failures while attempting secure
channel concatenation. Fix this by adding a new sc_c variable to the
dhchap queue context structure which is appropriately set during
negotiate and then used in the host response.

Fixes: e88a7595b57f ("nvme-tcp: request secure channel concatenation")
Signed-off-by: Martin George <marting@netapp.com>
Signed-off-by: Prashanth Adurthi <prashana@netapp.com>
---
Changes in v2: set *buf to sc_c as suggested by Hannes
---
 drivers/nvme/host/auth.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c
index 201fc8809a62..c70db1bc3fda 100644
--- a/drivers/nvme/host/auth.c
+++ b/drivers/nvme/host/auth.c
@@ -36,6 +36,7 @@ struct nvme_dhchap_queue_context {
 	u8 status;
 	u8 dhgroup_id;
 	u8 hash_id;
+	u8 sc_c;
 	size_t hash_len;
 	u8 c1[64];
 	u8 c2[64];
@@ -154,6 +155,8 @@ static int nvme_auth_set_dhchap_negotiate_data(struct nvme_ctrl *ctrl,
 	data->auth_protocol[0].dhchap.idlist[34] = NVME_AUTH_DHGROUP_6144;
 	data->auth_protocol[0].dhchap.idlist[35] = NVME_AUTH_DHGROUP_8192;
 
+	chap->sc_c = data->sc_c;
+
 	return size;
 }
 
@@ -488,7 +491,7 @@ static int nvme_auth_dhchap_setup_host_response(struct nvme_ctrl *ctrl,
 	ret = crypto_shash_update(shash, buf, 2);
 	if (ret)
 		goto out;
-	memset(buf, 0, sizeof(buf));
+	*buf = chap->sc_c;
 	ret = crypto_shash_update(shash, buf, 1);
 	if (ret)
 		goto out;
@@ -499,6 +502,7 @@ static int nvme_auth_dhchap_setup_host_response(struct nvme_ctrl *ctrl,
 				  strlen(ctrl->opts->host->nqn));
 	if (ret)
 		goto out;
+	memset(buf, 0, sizeof(buf));
 	ret = crypto_shash_update(shash, buf, 1);
 	if (ret)
 		goto out;
-- 
2.43.0

Re: [PATCH v2] nvme-auth: update sc_c in host response

[Hannes Reinecke]

On 9/8/25 19:24, Martin George wrote:
> The sc_c field is currently not updated in the host response to the
> controller challenge leading to failures while attempting secure
> channel concatenation. Fix this by adding a new sc_c variable to the
> dhchap queue context structure which is appropriately set during
> negotiate and then used in the host response.
> 
> Fixes: e88a7595b57f ("nvme-tcp: request secure channel concatenation")
> Signed-off-by: Martin George <marting@netapp.com>
> Signed-off-by: Prashanth Adurthi <prashana@netapp.com>
> ---
> Changes in v2: set *buf to sc_c as suggested by Hannes
> ---
>   drivers/nvme/host/auth.c | 6 +++++-
>   1 file changed, 5 insertions(+), 1 deletion(-)
> 
Reviewed-by: Hannes Reinecke <hare@suse.de>

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare@suse.de                                +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich

Re: [PATCH v2] nvme-auth: update sc_c in host response

[Martin George]

On Tue, 2025-09-09 at 08:43 +0200, Hannes Reinecke wrote:
> On 9/8/25 19:24, Martin George wrote:
> > The sc_c field is currently not updated in the host response to the
> > controller challenge leading to failures while attempting secure
> > channel concatenation. Fix this by adding a new sc_c variable to
> > the
> > dhchap queue context structure which is appropriately set during
> > negotiate and then used in the host response.
> > 
> > Fixes: e88a7595b57f ("nvme-tcp: request secure channel
> > concatenation")
> > Signed-off-by: Martin George <marting@netapp.com>
> > Signed-off-by: Prashanth Adurthi <prashana@netapp.com>
> > ---
> > Changes in v2: set *buf to sc_c as suggested by Hannes
> > ---
> >   drivers/nvme/host/auth.c | 6 +++++-
> >   1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> Reviewed-by: Hannes Reinecke <hare@suse.de>
> 
> Cheers,
> 
> Hannes

Gentle ping

Re: [PATCH v2] nvme-auth: update sc_c in host response

[Martin George]

On Tue, 2025-09-16 at 17:11 +0530, Martin George wrote:
> On Tue, 2025-09-09 at 08:43 +0200, Hannes Reinecke wrote:
> > On 9/8/25 19:24, Martin George wrote:
> > > The sc_c field is currently not updated in the host response to
> > > the
> > > controller challenge leading to failures while attempting secure
> > > channel concatenation. Fix this by adding a new sc_c variable to
> > > the
> > > dhchap queue context structure which is appropriately set during
> > > negotiate and then used in the host response.
> > > 
> > > Fixes: e88a7595b57f ("nvme-tcp: request secure channel
> > > concatenation")
> > > Signed-off-by: Martin George <marting@netapp.com>
> > > Signed-off-by: Prashanth Adurthi <prashana@netapp.com>
> > > ---
> > > Changes in v2: set *buf to sc_c as suggested by Hannes
> > > ---
> > >   drivers/nvme/host/auth.c | 6 +++++-
> > >   1 file changed, 5 insertions(+), 1 deletion(-)
> > > 
> > Reviewed-by: Hannes Reinecke <hare@suse.de>
> > 
> > Cheers,
> > 
> > Hannes
> 
> Gentle ping

Pinging again. Please review and provide feedback if any. Thanks.

-Martin

Re: [PATCH v2] nvme-auth: update sc_c in host response

[Shinichiro Kawasaki]

On Sep 08, 2025 / 22:54, Martin George wrote:
> The sc_c field is currently not updated in the host response to the
> controller challenge leading to failures while attempting secure
> channel concatenation. Fix this by adding a new sc_c variable to the
> dhchap queue context structure which is appropriately set during
> negotiate and then used in the host response.
> 
> Fixes: e88a7595b57f ("nvme-tcp: request secure channel concatenation")
> Signed-off-by: Martin George <marting@netapp.com>
> Signed-off-by: Prashanth Adurthi <prashana@netapp.com>
> ---
> Changes in v2: set *buf to sc_c as suggested by Hannes

I ran blktests with v6.18-rc2 kernel, and found the test case nvme/063 shows a
new failure symptom. I bisected and found this patch in the v6.18-rc2 tag
triggers the failrue. Actions for fix will be appreciated. FYI, I attach the
blktests console output [1] and the kernel messages [2].

  To be precise, nvme/063 fails even without this patch as I reported [3]. But
  that failure was due to lockdep WARN. This patch introduced a new failure
  symptom. I think both the two failure symptoms should be fixed.


[1] blktests run console output

# NVMET_TRTYPES=tcp ./check nvme/063
nvme/063 (tr=tcp) (Create authenticated TCP connections with secure concatenation)
    runtime  2.922s  ...
WARNING: Test did not clean up port: 0
WARNING: Test did not clean up subsystem: blktests-subsystem-1
rmdir: failed to remove '/sys/kernel/config/nvmet//subsystems/blktests-subsystem-1': Directory not empty
WARNING: Test did not clean up host: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349
nvme/063 (tr=tcp) (Create authenticated TCP connections with secure concatenation) [failed]01fb42-9f7f-48    runtime  2.922s  ...  3.908s resource busy
    --- tests/nvme/063.out      2025-08-26 21:28:52.805848674 +0900
    +++ /home/shin/Blktests/blktests/results/nodev_tr_tcp/nvme/063.out.bad      2025-10-20 17:42:12.097662643 +0900
    @@ -1,7 +1,3 @@
     Running nvme/063
     Test secure concatenation with SHA256
    -Reset controller
    -disconnected 1 controller(s)
    -Test secure concatenation with SHA384
    -disconnected 1 controller(s)
    -Test complete
    ...
    (Run 'diff -u tests/nvme/063.out /home/shin/Blktests/blktests/results/nodev_tr_tcp/nvme/063.out.bad' to see the entire diff)
WARNING: Test did not clean up subsystem: blktests-subsystem-1
rmdir: failed to remove '/sys/kernel/config/nvmet//subsystems/blktests-subsystem-1': Directory not empty
WARNING: Test did not clean up host: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349
rmdir: failed to remove '/sys/kernel/config/nvmet//hosts/nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349': Device or resource busy


[2] kernel message log

[   59.957999] [    T950] run blktests nvme/063 at 2025-10-20 17:42:08
[   60.146451] [   T1059] nvmet: adding nsid 1 to subsystem blktests-subsystem-1
[   60.168784] [   T1060] nvmet: Allow non-TLS connections while TLS1.3 is enabled
[   60.179760] [   T1063] nvmet_tcp: enabling port 0 (127.0.0.1:4420)
[   60.321134] [     T80] nvmet: Created nvm controller 1 for subsystem blktests-subsystem-1 for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349 with DH-HMAC-CHAP.
[   60.329310] [     T89] nvmet: ctrl 1 qid 0 host response mismatch
[   60.329914] [     T89] nvmet: ctrl 1 qid 0 failure1 (1)
[   60.330650] [     T82] nvmet: ctrl 1 fatal error occurred!
[   60.331254] [   T1073] nvme nvme5: qid 0: authentication failed, error -129
[   60.333179] [   T1073] nvme nvme5: failed to connect queue: 0 ret=-129


[3] https://lore.kernel.org/linux-nvme/ynmi72x5wt5ooljjafebhcarit3pvu6axkslqenikb2p5txe57@ldytqa2t4i2x/T/#u

Re: [PATCH v2] nvme-auth: update sc_c in host response

[Hannes Reinecke]

On 10/20/25 10:50, Shinichiro Kawasaki wrote:
> On Sep 08, 2025 / 22:54, Martin George wrote:
>> The sc_c field is currently not updated in the host response to the
>> controller challenge leading to failures while attempting secure
>> channel concatenation. Fix this by adding a new sc_c variable to the
>> dhchap queue context structure which is appropriately set during
>> negotiate and then used in the host response.
>>
>> Fixes: e88a7595b57f ("nvme-tcp: request secure channel concatenation")
>> Signed-off-by: Martin George <marting@netapp.com>
>> Signed-off-by: Prashanth Adurthi <prashana@netapp.com>
>> ---
>> Changes in v2: set *buf to sc_c as suggested by Hannes
> 
> I ran blktests with v6.18-rc2 kernel, and found the test case nvme/063 shows a
> new failure symptom. I bisected and found this patch in the v6.18-rc2 tag
> triggers the failrue. Actions for fix will be appreciated. FYI, I attach the
> blktests console output [1] and the kernel messages [2].
> 
>    To be precise, nvme/063 fails even without this patch as I reported [3]. But
>    that failure was due to lockdep WARN. This patch introduced a new failure
>    symptom. I think both the two failure symptoms should be fixed.
> 
> 
> [1] blktests run console output
> 
> # NVMET_TRTYPES=tcp ./check nvme/063
> nvme/063 (tr=tcp) (Create authenticated TCP connections with secure concatenation)
>      runtime  2.922s  ...
> WARNING: Test did not clean up port: 0
> WARNING: Test did not clean up subsystem: blktests-subsystem-1
> rmdir: failed to remove '/sys/kernel/config/nvmet//subsystems/blktests-subsystem-1': Directory not empty
> WARNING: Test did not clean up host: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349
> nvme/063 (tr=tcp) (Create authenticated TCP connections with secure concatenation) [failed]01fb42-9f7f-48    runtime  2.922s  ...  3.908s resource busy
>      --- tests/nvme/063.out      2025-08-26 21:28:52.805848674 +0900
>      +++ /home/shin/Blktests/blktests/results/nodev_tr_tcp/nvme/063.out.bad      2025-10-20 17:42:12.097662643 +0900
>      @@ -1,7 +1,3 @@
>       Running nvme/063
>       Test secure concatenation with SHA256
>      -Reset controller
>      -disconnected 1 controller(s)
>      -Test secure concatenation with SHA384
>      -disconnected 1 controller(s)
>      -Test complete
>      ...
>      (Run 'diff -u tests/nvme/063.out /home/shin/Blktests/blktests/results/nodev_tr_tcp/nvme/063.out.bad' to see the entire diff)
> WARNING: Test did not clean up subsystem: blktests-subsystem-1
> rmdir: failed to remove '/sys/kernel/config/nvmet//subsystems/blktests-subsystem-1': Directory not empty
> WARNING: Test did not clean up host: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349
> rmdir: failed to remove '/sys/kernel/config/nvmet//hosts/nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349': Device or resource busy
> 
> 
> [2] kernel message log
> 
> [   59.957999] [    T950] run blktests nvme/063 at 2025-10-20 17:42:08
> [   60.146451] [   T1059] nvmet: adding nsid 1 to subsystem blktests-subsystem-1
> [   60.168784] [   T1060] nvmet: Allow non-TLS connections while TLS1.3 is enabled
> [   60.179760] [   T1063] nvmet_tcp: enabling port 0 (127.0.0.1:4420)
> [   60.321134] [     T80] nvmet: Created nvm controller 1 for subsystem blktests-subsystem-1 for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349 with DH-HMAC-CHAP.
> [   60.329310] [     T89] nvmet: ctrl 1 qid 0 host response mismatch
> [   60.329914] [     T89] nvmet: ctrl 1 qid 0 failure1 (1)
> [   60.330650] [     T82] nvmet: ctrl 1 fatal error occurred!
> [   60.331254] [   T1073] nvme nvme5: qid 0: authentication failed, error -129
> [   60.333179] [   T1073] nvme nvme5: failed to connect queue: 0 ret=-129
> 
> 
> [3] https://lore.kernel.org/linux-nvme/ynmi72x5wt5ooljjafebhcarit3pvu6axkslqenikb2p5txe57@ldytqa2t4i2x/T/#u

That's because the target side needs the same fix. I'll send a patch.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare@suse.de                                +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich