kernel/linux.git/arch/arm64/crypto, branch v6.19.12Linux kernel stable tree (mirror)https://git.radix-linux.su/kernel/linux.git/atom?h=v6.19.122025-12-10T17:46:26+00:00crypto: arm64/ghash - Fix incorrect output from ghash-neon2025-12-10T17:46:26+00:00Eric Biggersebiggers@kernel.org2025-12-09T22:34:17+00:00urn:sha1:f6a458746f905adb7d70e50e8b9383dc9e3fd75f
Commit 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block
handling") made ghash_finup() pass the wrong buffer to
ghash_do_simd_update(). As a result, ghash-neon now produces incorrect
outputs when the message length isn't divisible by 16 bytes. Fix this.
(I didn't notice this earlier because this code is reached only on CPUs
that support NEON but not PMULL. I haven't yet found a way to get
qemu-system-aarch64 to emulate that configuration.)
Fixes: 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling")
Cc: stable@vger.kernel.org
Reported-by: Diederik de Haas <diederik@cknow-tech.com>
Closes: https://lore.kernel.org/linux-crypto/DETXT7QI62KE.F3CGH2VWX1SC@cknow-tech.com/
Tested-by: Diederik de Haas <diederik@cknow-tech.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Link: https://lore.kernel.org/r/20251209223417.112294-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
crypto/arm64: sm4/xts - Merge ksimd scopes to reduce stack bloat2025-12-09T23:10:21+00:00Ard Biesheuvelardb@kernel.org2025-12-03T16:38:06+00:00urn:sha1:6f7d9481920e1bc06ff21c1e6a84fdea49c6ec3d
Merge the two ksimd scopes in the implementation of SM4-XTS to prevent
stack bloat in cases where the compiler fails to combine the stack slots
for the kernel mode FP/SIMD buffers.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Tested-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20251203163803.157541-6-ardb@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
crypto/arm64: aes/xts - Use single ksimd scope to reduce stack bloat2025-12-09T23:10:21+00:00Ard Biesheuvelardb@kernel.org2025-12-03T16:38:05+00:00urn:sha1:a9a8b1a383254c9f4ed7fe23b56937f8ad3ad3ab
The ciphertext stealing logic in the AES-XTS implementation creates a
separate ksimd scope to call into the FP/SIMD core routines, and in some
cases (CONFIG_KASAN_STACK is one, but there might be others), the 528
byte kernel mode FP/SIMD buffer that is allocated inside this scope is
not shared with the preceding ksimd scope, resulting in unnecessary
stack bloat.
Considering that
a) the XTS ciphertext stealing logic is never called for block
encryption use cases, and XTS is rarely used for anything else,
b) in the vast majority of cases, the entire input block is processed
during the first iteration of the loop,
we can combine both ksimd scopes into a single one with no practical
impact on how often/how long FP/SIMD is en/disabled, allowing us to
reuse the same stack slot for both FP/SIMD routine calls.
Fixes: ba3c1b3b5ac9 ("crypto/arm64: aes-blk - Switch to 'ksimd' scoped guard API")
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Tested-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20251203163803.157541-5-ardb@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Merge tag 'arm64-fpsimd-on-stack-for-v6.19' into libcrypto-fpsimd-on-stack2025-11-12T18:15:07+00:00Eric Biggersebiggers@kernel.org2025-11-12T18:14:33+00:00urn:sha1:5dc8d277520be6f0be11f36712e557167b3964c8
Pull fpsimd-on-stack changes from Ard Biesheuvel:
"Shared tag/branch for arm64 FP/SIMD changes going through libcrypto"
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
crypto/arm64: sm4 - Switch to 'ksimd' scoped guard API2025-11-12T08:52:02+00:00Ard Biesheuvelardb@kernel.org2025-10-01T11:50:51+00:00urn:sha1:03bc4768fbf1bfe72497204410b58dacf29730d2
Switch to the more abstract 'scoped_ksimd()' API, which will be modified
in a future patch to transparently allocate a kernel mode FP/SIMD state
buffer on the stack, so that kernel mode FP/SIMD code remains
preemptible in principle, but without the memory overhead that adds 528
bytes to the size of struct task_struct.
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
crypto/arm64: sm3 - Switch to 'ksimd' scoped guard API2025-11-12T08:52:02+00:00Ard Biesheuvelardb@kernel.org2025-10-01T11:47:45+00:00urn:sha1:ab9615b5013fe8a62933212b37faa28d09fe0cbf
Switch to the more abstract 'scoped_ksimd()' API, which will be modified
in a future patch to transparently allocate a kernel mode FP/SIMD state
buffer on the stack, so that kernel mode FP/SIMD code remains
preemptible in principle, but without the memory overhead that adds 528
bytes to the size of struct task_struct.
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
crypto/arm64: sha3 - Switch to 'ksimd' scoped guard API2025-11-12T08:52:02+00:00Ard Biesheuvelardb@kernel.org2025-10-01T11:47:13+00:00urn:sha1:a6b40844550c73805fe8490bafc0e33ff5922f6c
Switch to the more abstract 'scoped_ksimd()' API, which will be modified
in a future patch to transparently allocate a kernel mode FP/SIMD state
buffer on the stack, so that kernel mode FP/SIMD code remains
preemptible in principe, but without the memory overhead that adds 528
bytes to the size of struct task_struct.
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
crypto/arm64: polyval - Switch to 'ksimd' scoped guard API2025-11-12T08:52:02+00:00Ard Biesheuvelardb@kernel.org2025-10-01T11:45:49+00:00urn:sha1:931ceb5785755d82d80bb923c22ca08128af7721
Switch to the more abstract 'scoped_ksimd()' API, which will be modified
in a future patch to transparently allocate a kernel mode FP/SIMD state
buffer on the stack, so that kernel mode FP/SIMD code remains
preemptible in principe, but without the memory overhead that adds 528
bytes to the size of struct task_struct.
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
crypto/arm64: nhpoly1305 - Switch to 'ksimd' scoped guard API2025-11-12T08:52:02+00:00Ard Biesheuvelardb@kernel.org2025-10-01T11:44:23+00:00urn:sha1:72cb51233b59429bd9920f396d4a2e8cd1ad1a40
Switch to the more abstract 'scoped_ksimd()' API, which will be modified
in a future patch to transparently allocate a kernel mode FP/SIMD state
buffer on the stack, so that kernel mode FP/SIMD code remains
preemptible in principe, but without the memory overhead that adds 528
bytes to the size of struct task_struct.
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
crypto/arm64: aes-gcm - Switch to 'ksimd' scoped guard API2025-11-12T08:52:02+00:00Ard Biesheuvelardb@kernel.org2025-10-01T11:43:59+00:00urn:sha1:87c9b04e715d13a7c110b17a66ad279da821cd0e
Switch to the more abstract 'scoped_ksimd()' API, which will be modified
in a future patch to transparently allocate a kernel mode FP/SIMD state
buffer on the stack, so that kernel mode FP/SIMD code remains
preemptible in principe, but without the memory overhead that adds 528
bytes to the size of struct task_struct.
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>