Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp3362610ybz; Mon, 20 Apr 2020 00:59:01 -0700 (PDT) X-Google-Smtp-Source: APiQypLHy10LCB1OtdcjN3POjMyuU+9HiN/opm42erOntiCsw9CGpnx/KGM0pkaX0VMZwAQKSxVu X-Received: by 2002:a17:906:160a:: with SMTP id m10mr14347631ejd.8.1587369541320; Mon, 20 Apr 2020 00:59:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587369541; cv=none; d=google.com; s=arc-20160816; b=OZhG0ilTYZwkW9P+ETGOvQzVqVIAx6twyn72wMsmmQkEb6l4KmeyuJaTeGdqFMspa3 b4a9VLIzvsatkIGFRC1t5qEPAeEqaSIjXyrUmrxuThWit689ayRijAHyV4XP36BIinRm OJMoAann26e5hu2Mi3WUYfTKU+Mqd9GsSk8mi7UT6q6ZC4x0jeq5oUQUDzSUj4b6WoB5 ate9rNMaaq2zjIY75/S8yg17wp0cLtquuDors/nT3qLK3Q5WEqH0TVapbo+TZK+WFCno dXhJ/jJt8EyfFrqJ+pQ4gxepXiNG6y2cR/z0fskHPJsvGO8qbtBkokW9RonTzSB/nUvz QzEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=9OHSyu3FAuZCgaTYphg0MilrL+RudfCvTidPp/+DSvw=; b=twl5782z0Ar8SOkb07w8UxfV9HRrSAhM8LEzYh3W9owqzBYtypOFxGyoNX3H/tCivl J6MCB/VujM3MJe778+0A0xU5ymtEWX+YGZjcTkWqrFK047Ssl/opjKmZML2SUyfJeFKM +KKHWd2yb/hWLTDaVPFY4hZXs2mOzN0NBN1VnRGMBa8GnqWVUnwe8o81W5dp3IIcjt61 HVypNNRtJ0rc2x9wupCwS+rHPHWx/HQ9M6K+nmdEcgSP2rrXh11fmjR/NnfxckVBQt+6 5fLQBMUh2CE5L7awoxquCmzdCBSRxX9Fjbczs1726nTsGKThR9rfWHMpp/n1AkNatf2l msVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b=LEZN2u8U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n9si91207edb.87.2020.04.20.00.58.37; Mon, 20 Apr 2020 00:59:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b=LEZN2u8U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726089AbgDTH52 (ORCPT + 99 others); Mon, 20 Apr 2020 03:57:28 -0400 Received: from mail.zx2c4.com ([192.95.5.64]:60873 "EHLO mail.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725865AbgDTH51 (ORCPT ); Mon, 20 Apr 2020 03:57:27 -0400 Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTP id f1d5d349; Mon, 20 Apr 2020 07:46:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc :subject:date:message-id:mime-version:content-transfer-encoding; s=mail; bh=0Z8VrEBoEqZW0fKOw8SFpT75CtM=; b=LEZN2u8UUIfHMWZ/6gzr jda7Lan1GDm6qALfJit0LKgKlxjjh4TxYIysBvtXR8xoofnLuvZf0ZOJOhfuaIrb QG+/BQ8XGxyixgk0GenBb+sDPPZlb7M6Y0B+yWGhA36cMrONeEZn/Eq0oI6WS977 l273zcfyJMyGuW8AMOzRM2IATs2s4pNzL0mYyKKimqFyIkBD1vFeMrYYJNbL/T1b ufUeBxO2b+0c9kBdhT2buCza4PHsNFN9S3DcUJ+4sOCsqgnbtVgIwICISOoc3EDp 8PE3jm9sjwWS2TKvsZa7vVpbQK9f0TynAlNhBfOpBwTqg5qRYSKYTFXC6URD9Eru cQ== Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 111377eb (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Mon, 20 Apr 2020 07:46:50 +0000 (UTC) From: "Jason A. Donenfeld" To: herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, ebiggers@google.com, ardb@kernel.org Cc: "Jason A. Donenfeld" , stable@vger.kernel.org Subject: [PATCH crypto-stable] crypto: arch/lib - limit simd usage to PAGE_SIZE chunks Date: Mon, 20 Apr 2020 01:57:11 -0600 Message-Id: <20200420075711.2385190-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The initial Zinc patchset, after some mailing list discussion, contained code to ensure that kernel_fpu_enable would not be kept on for more than a PAGE_SIZE chunk, since it disables preemption. The choice of PAGE_SIZE isn't totally scientific, but it's not a bad guess either, and it's what's used in both the x86 poly1305 and blake2s library code already. Unfortunately it appears to have been left out of the final patchset that actually added the glue code. So, this commit adds back the PAGE_SIZE chunking. Fixes: 84e03fa39fbe ("crypto: x86/chacha - expose SIMD ChaCha routine as library function") Fixes: b3aad5bad26a ("crypto: arm64/chacha - expose arm64 ChaCha routine as library function") Fixes: a44a3430d71b ("crypto: arm/chacha - expose ARM ChaCha routine as library function") Fixes: f569ca164751 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS NEON implementation") Fixes: a6b803b3ddc7 ("crypto: arm/poly1305 - incorporate OpenSSL/CRYPTOGAMS NEON implementation") Cc: Eric Biggers Cc: Ard Biesheuvel Cc: stable@vger.kernel.org Signed-off-by: Jason A. Donenfeld --- Eric, Ard - I'm wondering if this was in fact just an oversight in Ard's patches, or if there was actually some later discussion in which we concluded that the PAGE_SIZE chunking wasn't required, perhaps because of FPU changes. If that's the case, please do let me know, in which case I'll submit a _different_ patch that removes the chunking from x86 poly and blake. I can't find any emails that would indicate that, but I might be mistaken. arch/arm/crypto/chacha-glue.c | 16 +++++++++++++--- arch/arm/crypto/poly1305-glue.c | 17 +++++++++++++---- arch/arm64/crypto/chacha-neon-glue.c | 16 +++++++++++++--- arch/arm64/crypto/poly1305-glue.c | 17 +++++++++++++---- arch/x86/crypto/chacha_glue.c | 16 +++++++++++++--- 5 files changed, 65 insertions(+), 17 deletions(-) diff --git a/arch/arm/crypto/chacha-glue.c b/arch/arm/crypto/chacha-glue.c index 6fdb0ac62b3d..0e29ebac95fd 100644 --- a/arch/arm/crypto/chacha-glue.c +++ b/arch/arm/crypto/chacha-glue.c @@ -91,9 +91,19 @@ void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, unsigned int bytes, return; } - kernel_neon_begin(); - chacha_doneon(state, dst, src, bytes, nrounds); - kernel_neon_end(); + for (;;) { + unsigned int todo = min_t(unsigned int, PAGE_SIZE, bytes); + + kernel_neon_begin(); + chacha_doneon(state, dst, src, todo, nrounds); + kernel_neon_end(); + + bytes -= todo; + if (!bytes) + break; + src += todo; + dst += todo; + } } EXPORT_SYMBOL(chacha_crypt_arch); diff --git a/arch/arm/crypto/poly1305-glue.c b/arch/arm/crypto/poly1305-glue.c index ceec04ec2f40..536a4a943ebe 100644 --- a/arch/arm/crypto/poly1305-glue.c +++ b/arch/arm/crypto/poly1305-glue.c @@ -160,13 +160,22 @@ void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src, unsigned int len = round_down(nbytes, POLY1305_BLOCK_SIZE); if (static_branch_likely(&have_neon) && do_neon) { - kernel_neon_begin(); - poly1305_blocks_neon(&dctx->h, src, len, 1); - kernel_neon_end(); + for (;;) { + unsigned int todo = min_t(unsigned int, PAGE_SIZE, len); + + kernel_neon_begin(); + poly1305_blocks_neon(&dctx->h, src, todo, 1); + kernel_neon_end(); + + len -= todo; + if (!len) + break; + src += todo; + } } else { poly1305_blocks_arm(&dctx->h, src, len, 1); + src += len; } - src += len; nbytes %= POLY1305_BLOCK_SIZE; } diff --git a/arch/arm64/crypto/chacha-neon-glue.c b/arch/arm64/crypto/chacha-neon-glue.c index 37ca3e889848..3eff767f4f77 100644 --- a/arch/arm64/crypto/chacha-neon-glue.c +++ b/arch/arm64/crypto/chacha-neon-glue.c @@ -87,9 +87,19 @@ void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, unsigned int bytes, !crypto_simd_usable()) return chacha_crypt_generic(state, dst, src, bytes, nrounds); - kernel_neon_begin(); - chacha_doneon(state, dst, src, bytes, nrounds); - kernel_neon_end(); + for (;;) { + unsigned int todo = min_t(unsigned int, PAGE_SIZE, bytes); + + kernel_neon_begin(); + chacha_doneon(state, dst, src, todo, nrounds); + kernel_neon_end(); + + bytes -= todo; + if (!bytes) + break; + src += todo; + dst += todo; + } } EXPORT_SYMBOL(chacha_crypt_arch); diff --git a/arch/arm64/crypto/poly1305-glue.c b/arch/arm64/crypto/poly1305-glue.c index e97b092f56b8..616134bef02c 100644 --- a/arch/arm64/crypto/poly1305-glue.c +++ b/arch/arm64/crypto/poly1305-glue.c @@ -143,13 +143,22 @@ void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src, unsigned int len = round_down(nbytes, POLY1305_BLOCK_SIZE); if (static_branch_likely(&have_neon) && crypto_simd_usable()) { - kernel_neon_begin(); - poly1305_blocks_neon(&dctx->h, src, len, 1); - kernel_neon_end(); + for (;;) { + unsigned int todo = min_t(unsigned int, PAGE_SIZE, len); + + kernel_neon_begin(); + poly1305_blocks_neon(&dctx->h, src, todo, 1); + kernel_neon_end(); + + len -= todo; + if (!len) + break; + src += todo; + } } else { poly1305_blocks(&dctx->h, src, len, 1); + src += len; } - src += len; nbytes %= POLY1305_BLOCK_SIZE; } diff --git a/arch/x86/crypto/chacha_glue.c b/arch/x86/crypto/chacha_glue.c index b412c21ee06e..10733035b81c 100644 --- a/arch/x86/crypto/chacha_glue.c +++ b/arch/x86/crypto/chacha_glue.c @@ -153,9 +153,19 @@ void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, unsigned int bytes, bytes <= CHACHA_BLOCK_SIZE) return chacha_crypt_generic(state, dst, src, bytes, nrounds); - kernel_fpu_begin(); - chacha_dosimd(state, dst, src, bytes, nrounds); - kernel_fpu_end(); + for (;;) { + unsigned int todo = min_t(unsigned int, PAGE_SIZE, bytes); + + kernel_fpu_begin(); + chacha_dosimd(state, dst, src, todo, nrounds); + kernel_fpu_end(); + + bytes -= todo; + if (!bytes) + break; + src += todo; + dst += todo; + } } EXPORT_SYMBOL(chacha_crypt_arch); -- 2.26.1