Re: [PATCH] crypto/authenc: don't return -EBUSY when enqueuing the hash request

[Mikulas Patocka <mpatocka@redhat.com>]

On Tue, 23 Sep 2025, Mikulas Patocka wrote:

> 
> 
> On Tue, 23 Sep 2025, Herbert Xu wrote:
> 
> > If authenc gets EBUSY from the ahash, then the ahash is responsible
> > for sending an EINPROGRESS notification.  I just checked the authenc
> > code and it does pass the notification back up to the caller (which
> > is dm-crypt).
> > 
> > So if EINPROGRESS is not being received, then it's a bug in the
> > ahash layer or the underlying ahash algorithm.
> 
> static void authenc_request_complete(struct aead_request *req, int err)
> {
>         if (err != -EINPROGRESS)
>                 aead_request_complete(req, err);
> }
> 
> This prevents -EINPROGRESS from reaching dm-crypt. If I remove the 
> condition "err != -EINPROGRESS", the deadlock goes away. Though, removing 
> it may break other things - we may send -EINPROGRESS twice, first for the 
> hash and then for the decryption.
> 
> > Which phmac implementation was this?
> 
> It was pseudo_phmac out-of-tree module sent by Harald Freudenberger. He 
> CC'd you, so you should have it as an attachment in your inbox.
> 
> The following scripts creates the buggy device mapper device:
> 
> #!/bin/sh -ex
> sync
> modprobe crypto_engine
> insmod ~/c/phmac/pseudo_phmac/phmac.ko
> modprobe brd rd_size=1048576
> dmsetup create cr_dif --table '0 2031880 integrity 1:0 32768 32 J 7 block_size:4096 interleave_sectors:32768 buffer_sectors:128 journal_sectors:16368 journal_watermark:50 commit_time:10000 fix_padding'
> dmsetup create cr --table '0 2031880 crypt capi:authenc(phmac(sha256),xts(aes))-plain64 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0 252:0 0 2 integrity:32:aead sector_size:4096'
> dd if=/dev/zero of=/dev/mapper/cr bs=1M oflag=direct status=progress
> 
> > Cheers,
> 
> Mikulas

What do you think about this patch? Do you think that it is the right 
direction to fix it?

Mikulas


From: Mikulas Patocka <mpatocka@redhat.com>

The function authenc_request_complete ignores -EINPROGRESS. This causes
deadlock in dm-crypt when using it with authenticated encryption with an
asynchronous hash implementation.

This patch makes it pass -EINPROGRESS to the caller. Note that we don't
want to report -EINPROGRESS twice (one for the hash and the second one
for the cipher), so we set a flag and report -EINPROGRESS just once.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
---
 crypto/authenc.c       |   11 +++++++++--
 include/linux/crypto.h |    1 +
 2 files changed, 10 insertions(+), 2 deletions(-)

Index: linux-2.6/crypto/authenc.c
===================================================================
--- linux-2.6.orig/crypto/authenc.c	2025-09-23 16:15:42.000000000 +0200
+++ linux-2.6/crypto/authenc.c	2025-09-23 16:32:57.000000000 +0200
@@ -37,8 +37,15 @@ struct authenc_request_ctx {
 
 static void authenc_request_complete(struct aead_request *req, int err)
 {
-	if (err != -EINPROGRESS)
-		aead_request_complete(req, err);
+	if (unlikely(err == -EINPROGRESS)) {
+		req->base.flags |= CRYPTO_TFM_REQ_REPORT_EINPROGRESS;
+		return;
+	}
+	if (unlikely(req->base.flags & CRYPTO_TFM_REQ_REPORT_EINPROGRESS)) {
+		aead_request_complete(req, -EINPROGRESS);
+		req->base.flags &=~ CRYPTO_TFM_REQ_REPORT_EINPROGRESS;
+	}
+	aead_request_complete(req, err);
 }
 
 int crypto_authenc_extractkeys(struct crypto_authenc_keys *keys, const u8 *key,
Index: linux-2.6/include/linux/crypto.h
===================================================================
--- linux-2.6.orig/include/linux/crypto.h	2025-08-15 17:28:24.000000000 +0200
+++ linux-2.6/include/linux/crypto.h	2025-09-23 16:17:05.000000000 +0200
@@ -151,6 +151,7 @@
 #define CRYPTO_TFM_REQ_MAY_SLEEP	0x00000200
 #define CRYPTO_TFM_REQ_MAY_BACKLOG	0x00000400
 #define CRYPTO_TFM_REQ_ON_STACK		0x00000800
+#define CRYPTO_TFM_REQ_REPORT_EINPROGRESS 0x00100000
 
 /*
  * Miscellaneous stuff.