Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.19.11 2025-05-27T05:43:32+00:00 2025-05-27T05:43:32+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-05-26T08:56:46+00:00 urn:sha1:0a84874c7e7dde5cdddc80a82093120e924a348b Only set the partial block length to zero if the algorithm is block-only. Otherwise the descriptor context could be empty, e.g., for digest_null. Reported-by: syzbot+4851c19615d35f0e4d68@syzkaller.appspotmail.com Fixes: 7650f826f7b2 ("crypto: shash - Handle partial blocks in API") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-05-19T05:48:19+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-05-15T05:54:44+00:00 urn:sha1:32a9fd8f498bffd99c5d5441015136206e351ae4 Make reqsize static for shash algorithms. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-05-19T05:48:19+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-05-15T05:54:35+00:00 urn:sha1:c6a12f394c488cf6a7ca35c1ad51e0e88897de2e Add export_core and import_core hooks. These are intended to be used by algorithms which are wrappers around block-only algorithms, but are not themselves block-only, e.g., hmac. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-05-05T10:20:46+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-05-04T13:33:16+00:00 urn:sha1:f4e365d5ca38941708fbe8356719e3436cef7627 Mark shash algorithms with the REQ_VIRT bit as they can handle virtual addresses as is. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-05-05T10:20:46+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-05-04T13:33:14+00:00 urn:sha1:2b1a29ce3360570aeff053d1315cd504d94eab31 Now that all shash algorithms have converted over to the generic export format, limit the shash state size to HASH_MAX_STATESIZE. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-04-28T11:40:54+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-04-23T09:22:31+00:00 urn:sha1:2cfe41630a1a4f24d46825aa9656a51a38fb7f7d Do not copy the exit function in crypto_clone_tfm as it should only be set after init_tfm or clone_tfm has succeeded. Move the setting into crypto_clone_ahash and crypto_clone_shash instead. Also clone the fb if necessary. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-04-23T03:33:46+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-04-18T02:58:41+00:00 urn:sha1:7650f826f7b2d84782f9147c51687ff0364125e9 Provide an option to handle the partial blocks in the shash API. Almost every hash algorithm has a block size and are only able to hash partial blocks on finalisation. Rather than duplicating the partial block handling many times, add this functionality to the shash API. It is optional (e.g., hmac would never need this by relying on the partial block handling of the underlying hash), and to enable it set the bit CRYPTO_AHASH_ALG_BLOCK_ONLY. The export format is always that of the underlying hash export, plus the partial block buffer, followed by a single-byte for the partial block length. Set the bit CRYPTO_AHASH_ALG_FINAL_NONZERO to withhold an extra byte in the partial block. This will come in handy when this is extended to ahash where hardware often can't deal with a zero-length final. It will also be used for algorithms requiring an extra block for finalisation (e.g., cmac). As an optimisation, set the bit CRYPTO_AHASH_ALG_FINUP_MAX if the algorithm wishes to get as much data as possible instead of just the last partial block. The descriptor will be zeroed after finalisation. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-04-16T07:36:24+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-04-12T10:47:47+00:00 urn:sha1:90916934fd093edf62bc0c5c9a940a8efa7db2f8 As all users of the dynamic descsize have been converted to use a static one instead, remove support for dynamic descsize. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-04-16T07:36:24+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-04-12T05:16:43+00:00 urn:sha1:f1440a90465bea1993f937ac7add592ce1e4ff44 If the bit CRYPTO_ALG_DUP_FIRST is set, an algorithm will be duplicated by kmemdup before registration. This is inteded for hardware-based algorithms that may be unplugged at will. Do not use this if the algorithm data structure is embedded in a bigger data structure. Perform the duplication in the driver instead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2024-04-02T02:49:38+00:00 Eric Biggers ebiggers@google.com 2024-03-13T03:48:21+00:00 urn:sha1:29ce50e078b857977202205394f200a25889636e Remove support for the "Crypto usage statistics" feature (CONFIG_CRYPTO_STATS). This feature does not appear to have ever been used, and it is harmful because it significantly reduces performance and is a large maintenance burden. Covering each of these points in detail: 1. Feature is not being used Since these generic crypto statistics are only readable using netlink, it's fairly straightforward to look for programs that use them. I'm unable to find any evidence that any such programs exist. For example, Debian Code Search returns no hits except the kernel header and kernel code itself and translations of the kernel header: https://codesearch.debian.net/search?q=CRYPTOCFGA_STAT&literal=1&perpkg=1 The patch series that added this feature in 2018 (https://lore.kernel.org/linux-crypto/1537351855-16618-1-git-send-email-clabbe@baylibre.com/) said "The goal is to have an ifconfig for crypto device." This doesn't appear to have happened. It's not clear that there is real demand for crypto statistics. Just because the kernel provides other types of statistics such as I/O and networking statistics and some people find those useful does not mean that crypto statistics are useful too. Further evidence that programs are not using CONFIG_CRYPTO_STATS is that it was able to be disabled in RHEL and Fedora as a bug fix (https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/2947). Even further evidence comes from the fact that there are and have been bugs in how the stats work, but they were never reported. For example, before Linux v6.7 hash stats were double-counted in most cases. There has also never been any documentation for this feature, so it might be hard to use even if someone wanted to. 2. CONFIG_CRYPTO_STATS significantly reduces performance Enabling CONFIG_CRYPTO_STATS significantly reduces the performance of the crypto API, even if no program ever retrieves the statistics. This primarily affects systems with a large number of CPUs. For example, https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2039576 reported that Lustre client encryption performance improved from 21.7GB/s to 48.2GB/s by disabling CONFIG_CRYPTO_STATS. It can be argued that this means that CONFIG_CRYPTO_STATS should be optimized with per-cpu counters similar to many of the networking counters. But no one has done this in 5+ years. This is consistent with the fact that the feature appears to be unused, so there seems to be little interest in improving it as opposed to just disabling it. It can be argued that because CONFIG_CRYPTO_STATS is off by default, performance doesn't matter. But Linux distros tend to error on the side of enabling options. The option is enabled in Ubuntu and Arch Linux, and until recently was enabled in RHEL and Fedora (see above). So, even just having the option available is harmful to users. 3. CONFIG_CRYPTO_STATS is a large maintenance burden There are over 1000 lines of code associated with CONFIG_CRYPTO_STATS, spread among 32 files. It significantly complicates much of the implementation of the crypto API. After the initial submission, many fixes and refactorings have consumed effort of multiple people to keep this feature "working". We should be spending this effort elsewhere. Acked-by: Ard Biesheuvel <ardb@kernel.org> Acked-by: Corentin Labbe <clabbe@baylibre.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>