Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.18.21 2025-10-08T08:13:07+00:00 2025-10-08T08:13:07+00:00 T Pratham t-pratham@ti.com 2025-10-07T13:57:51+00:00 urn:sha1:229c586b5e86979badb7cb0d38717b88a9e95ddd Commit afddce13ce81d ("crypto: api - Add reqsize to crypto_alg") introduced cra_reqsize field in crypto_alg struct to replace type specific reqsize fields. It looks like this was introduced specifically for ahash and acomp from the commit description as subsequent commits add necessary changes in these alg frameworks. However, this is being recommended for use in all crypto algs [1] instead of setting reqsize using crypto_*_set_reqsize(). Using cra_reqsize in skcipher algorithms, hence, causes memory corruptions and crashes as the underlying functions in the algorithm framework have not been updated to set the reqsize properly from cra_reqsize. [2] Add proper set_reqsize calls in the skcipher init function to properly initialize reqsize for these algorithms in the framework. [1]: https://lore.kernel.org/linux-crypto/aCL8BxpHr5OpT04k@gondor.apana.org.au/ [2]: https://gist.github.com/Pratham-T/24247446f1faf4b7843e4014d5089f6b Fixes: afddce13ce81d ("crypto: api - Add reqsize to crypto_alg") Fixes: 52f641bc63a4 ("crypto: ti - Add driver for DTHE V2 AES Engine (ECB, CBC)") Signed-off-by: T Pratham <t-pratham@ti.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-04-28T11:45:26+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-04-27T00:42:54+00:00 urn:sha1:0f8d42bf128d349ad490e87d5574d211245e40f1 Move the generic part of skcipher walk into scatterwalk, and use it to implement memcpy_sglist. This makes memcpy_sglist do the right thing when two distinct SG lists contain identical subsets (e.g., the AD part of AEAD). Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-04-16T07:36:24+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-04-12T05:16:43+00:00 urn:sha1:f1440a90465bea1993f937ac7add592ce1e4ff44 If the bit CRYPTO_ALG_DUP_FIRST is set, an algorithm will be duplicated by kmemdup before registration. This is inteded for hardware-based algorithms that may be unplugged at will. Do not use this if the algorithm data structure is embedded in a bigger data structure. Perform the duplication in the driver instead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-03-21T09:33:38+00:00 Eric Biggers ebiggers@google.com 2025-03-10T17:20:16+00:00 urn:sha1:7450ebd29cd9b9745f005f2609badacea15fbe30 Now that the address returned by scatterwalk_map() is always being stored into the same struct scatter_walk that is passed in, make scatterwalk_map() do so itself and return void. Similarly, now that scatterwalk_unmap() is always being passed the address field within a struct scatter_walk, make scatterwalk_unmap() take a pointer to struct scatter_walk instead of the address directly. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-03-15T08:21:22+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-03-08T12:45:25+00:00 urn:sha1:db873be6f0549597f92c72986b1939643a7f9a75 Reuse the addr field from struct scatter_walk for skcipher_walk. Keep the existing virt.addr fields but make them const for the user to access the mapped address. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-03-15T08:21:22+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-03-08T12:45:21+00:00 urn:sha1:65775cf313987926e9746b0ca7f5519d297af2da Rather than returning the address and storing the length into an argument pointer, add an address field to the walk struct and use that to store the address. The length is returned directly. Change the done functions to use this stored address instead of getting them from the caller. Split the address into two using a union. The user should only access the const version so that it is never changed. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-03-08T08:24:36+00:00 Eric Biggers ebiggers@google.com 2025-03-06T03:33:05+00:00 urn:sha1:eca6828403b80343647de39d4782ee56cc9e36dd Local kunmaps have to be unmapped in the opposite order from which they were mapped. My recent change flipped the unmap order in the SKCIPHER_WALK_DIFF case. Adjust the mapping side to match. This fixes a WARN_ON_ONCE that was triggered when running the crypto-self tests on a 32-bit kernel with CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP=y. Fixes: 95dbd711b1d8 ("crypto: skcipher - use the new scatterwalk functions") Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-03-02T07:21:47+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-02-23T06:27:51+00:00 urn:sha1:f79d2d2852facc72b91a78e5c423722c7dc53d72 Rather than accessing 'alg' directly to avoid the aliasing issue which leads to unnecessary reloads, use the __restrict keyword to explicitly tell the compiler that there is no aliasing. This generates equivalent if not superior code on x86 with gcc 12. Note that in skcipher_walk_virt the alg assignment is moved after might_sleep_if because that function is a compiler barrier and forces a reload. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-03-02T07:19:44+00:00 Eric Biggers ebiggers@google.com 2025-02-19T18:23:41+00:00 urn:sha1:641938d3bba64287f199431fafd917bc7b7c9d1a When !HIGHMEM, the kmap_local_page() in the scatterlist walker does not actually map anything, and the address it returns is just the address from the kernel's direct map, where each sg entry's data is virtually contiguous. To improve performance, stop unnecessarily clamping data segments to page boundaries in this case. For now, still limit segments to PAGE_SIZE. This is needed to prevent preemption from being disabled for too long when SIMD is used, and to support the alignmask case which still uses a page-sized bounce buffer. Even so, this change still helps a lot in cases where messages cross a page boundary. For example, testing IPsec with AES-GCM on x86_64, the messages are 1424 bytes which is less than PAGE_SIZE, but on the Rx side over a third cross a page boundary. These ended up being processed in three parts, with the middle part going through skcipher_next_slow which uses a 16-byte bounce buffer. That was causing a significant amount of overhead which unnecessarily reduced the performance benefit of the new x86_64 AES-GCM assembly code. This change solves the problem; all these messages now get passed to the assembly code in one part. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-03-02T07:19:44+00:00 Eric Biggers ebiggers@google.com 2025-02-19T18:23:39+00:00 urn:sha1:95dbd711b1d81278d703e05eb5288eac758430c1 Convert skcipher_walk to use the new scatterwalk functions. This includes a few changes to exactly where the different parts of the iteration happen. For example the dcache flush that previously happened in scatterwalk_done() now happens in scatterwalk_dst_done() or in memcpy_to_scatterwalk(). Advancing to the next sg entry now happens just-in-time in scatterwalk_clamp() instead of in scatterwalk_done(). Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>