On Wed, Oct 12, 2022 at 11:08:53PM -0700, Eric Biggers wrote:
.
> When len == 0, the following path is taken instead:
>
> if (!crypto_simd_usable() ||
> (sctx->count % SHA1_BLOCK_SIZE) + len < SHA1_BLOCK_SIZE)
> return crypto_sha1_update(desc, data, len);

Good point, I missed that.

Thanks!
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

2022-10-13 13:54:25

by kernel test robot

[permalink] [raw]

Subject: Re: [PATCH v2 16/19] crypto: x86 - print CPU optimized loaded messages

Hi Robert,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on herbert-cryptodev-2.6/master]
[also build test WARNING on herbert-crypto-2.6/master linus/master next-20221012]
[cannot apply to v6.0]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url: https://github.com/intel-lab-lkp/linux/commits/Robert-Elliott/crypto-tcrypt-test-crc32/20221013-065919
base: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master
config: x86_64-allyesconfig
compiler: gcc-11 (Debian 11.3.0-8) 11.3.0
reproduce (this is a W=1 build):
# https://github.com/intel-lab-lkp/linux/commit/15a63fd12ab4d509e54c5db6daf2e8e81fdf0cf5
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Robert-Elliott/crypto-tcrypt-test-crc32/20221013-065919
git checkout 15a63fd12ab4d509e54c5db6daf2e8e81fdf0cf5
# save the config file
mkdir build_dir && cp config build_dir/.config
make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash arch/x86/crypto/

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <[email protected]>

All warnings (new ones prefixed by >>):

>> arch/x86/crypto/serpent_avx2_glue.c:100:32: warning: 'module_cpu_ids' defined but not used [-Wunused-const-variable=]
100 | static const struct x86_cpu_id module_cpu_ids[] = {
| ^~~~~~~~~~~~~~
--
>> arch/x86/crypto/aegis128-aesni-glue.c:268:32: warning: 'module_cpu_ids' defined but not used [-Wunused-const-variable=]
268 | static const struct x86_cpu_id module_cpu_ids[] = {
| ^~~~~~~~~~~~~~
--
>> arch/x86/crypto/sm4_aesni_avx_glue.c:451:32: warning: 'module_cpu_ids' defined but not used [-Wunused-const-variable=]
451 | static const struct x86_cpu_id module_cpu_ids[] = {
| ^~~~~~~~~~~~~~

vim +/module_cpu_ids +100 arch/x86/crypto/serpent_avx2_glue.c

e16bf974b3d965 Eric Biggers 2018-02-19 99
385e7cb709ad4a Robert Elliott 2022-10-12 @100 static const struct x86_cpu_id module_cpu_ids[] = {
385e7cb709ad4a Robert Elliott 2022-10-12 101 X86_MATCH_FEATURE(X86_FEATURE_AVX2, NULL),
385e7cb709ad4a Robert Elliott 2022-10-12 102 {}
385e7cb709ad4a Robert Elliott 2022-10-12 103 };
385e7cb709ad4a Robert Elliott 2022-10-12 104 MODULE_DEVICE_TABLE(x86cpu, module_cpu_ids);
385e7cb709ad4a Robert Elliott 2022-10-12 105

--
0-DAY CI Kernel Test Service
https://01.org/lkp

Attachments:

(No filename) (2.71 kB)
config (295.86 kB)
Download all attachments

2022-10-13 13:57:07

Greeting,

FYI, we noticed ltp.fsopen01.fail due to commit (built with gcc-11):

commit: 0c664cbc906012f02c5bf128cf2dff854cca65c7 ("[PATCH v2 05/19] crypto: x86/crc - limit FPU preemption")
url: https://github.com/intel-lab-lkp/linux/commits/Robert-Elliott/crypto-tcrypt-test-crc32/20221013-065919
base: https://git.kernel.org/cgit/linux/kernel/git/herbert/cryptodev-2.6.git master
patch link: https://lore.kernel.org/linux-crypto/[email protected]
patch subject: [PATCH v2 05/19] crypto: x86/crc - limit FPU preemption

in testcase: ltp
version: ltp-x86_64-14c1f76-1_20221009
with following parameters:

disk: 1HDD
fs: ext4
test: syscalls-07

test-description: The LTP testsuite contains a collection of tools for testing the Linux kernel and related features.
test-url: http://linux-test-project.github.io/

on test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (Skylake) with 32G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):

<<<test_start>>>
tag=fsopen01 stime=1666383665
cmdline="fsopen01"
contacts=""
analysis=exit
<<<test_output>>>
...
tst_test.c:1599: TINFO: === Testing on btrfs ===
tst_test.c:1064: TINFO: Formatting /dev/loop0 with btrfs opts='' extra opts=''
fsopen01.c:42: TFAIL: fsconfig(FSCONFIG_CMD_CREATE) failed: EINVAL (22)
fsopen01.c:42: TFAIL: fsconfig(FSCONFIG_CMD_CREATE) failed: EINVAL (22)
...

Summary:
passed 12
failed 2
broken 0
skipped 0
warnings 0
<<<execution_status>>>
initiation_status="ok"
duration=3 termination_type=exited termination_id=1 corefile=no
cutime=3 cstime=47
<<<test_end>>>

[ 152.413919][ T4912] BTRFS: device fsid 05e51863-81c3-4c32-9e24-3d49d849f724 devid 1 transid 6 /dev/loop0 scanned by mkfs.btrfs (4912)
[ 152.429076][ T4851] BTRFS info (device loop0): using crc32c (crc32c-intel) checksum algorithm
[ 152.438743][ T4851] BTRFS info (device loop0): using free space tree
[ 152.449103][ T8] BTRFS warning (device loop0): checksum verify failed on logical 22036480 mirror 1 wanted 0xc4a1f4f3 found 0x76f09a51 level 0
[ 152.463363][ T35] BTRFS warning (device loop0): checksum verify failed on logical 22036480 mirror 2 wanted 0xc4a1f4f3 found 0x76f09a51 level 0
[ 152.477446][ T4851] BTRFS error (device loop0): failed to read chunk root
[ 152.486164][ T4851] BTRFS error (device loop0): open_ctree failed

If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <[email protected]>
| Link: https://lore.kernel.org/r/[email protected]

To reproduce:

git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file

# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.

--
0-DAY CI Kernel Test Service
https://01.org/lkp

Attachments:

(No filename) (3.05 kB)
config-6.0.0-rc1-00131-g0c664cbc9060 (171.47 kB)
job-script (5.89 kB)
dmesg.xz (91.50 kB)
ltp (197.87 kB)
job.yaml (4.85 kB)
reproduce (302.00 B)
Download all attachments

2022-11-01 21:54:53

by Elliott, Robert (Servers)

[permalink] [raw]

Subject: RE: [PATCH v2 00/19] crypto: x86 - fix RCU stalls

> -----Original Message-----
> From: Elliott, Robert (Servers) <[email protected]>
> Sent: Wednesday, October 12, 2022 4:59 PM
> To: [email protected]; [email protected];
> [email protected]; [email protected]; [email protected]; linux-
> [email protected]; [email protected]
> Cc: Elliott, Robert (Servers) <[email protected]>
> Subject: [PATCH v2 00/19] crypto: x86 - fix RCU stalls
>
> This series fixes the RCU stalls triggered by the x86 crypto
> modules discussed in
> https://lore.kernel.org/all/MW5PR84MB18426EBBA3303770A8BC0BDFAB759@MW5PR84
> MB1842.NAMPRD84.PROD.OUTLOOK.COM/

I've instrumented all the x86 crypto modules, including ways to
experiment with different loop sizes. Here are some results with
the hash functions.

Key:
calls = number of kernel_fpu_begin()/end() calls made by the module
cost = number of CPU cycles consumed by those calls (overhead)
maxcycles = number of CPU cycles between those calls in FPU context
bpf = bytes_per_fpu loop size
KiB = bpf expressed in KiB
maxlen = maximum number of bytes per loop via update()
maxlen2 = maximum number of bytes per loop via finup()

This is on a 2.2 GHz Cascade Lake CPU, where each cycle is nominally
0.45 ns. The CPU does not support SHA-NI instructions, so those
results are missing.

Here are the results from a boot with the avx2 bytes_per_fpu values set
to 0 (unlimited - original behavior).

Booting includes:
- processing 2.3 GB of SHA-512 kernel module hashes
- crypto self-tests
- crypto extra self-tests (CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y)

calls cost maxcycles bpf KiB maxlen maxlen2 algorithm module
======== =========== ============ ======== ==== ======== ======== ======================== ============================
3641 177182 10230 0 0 4096 0 __ghash-pclmulqdqni ghash_clmulni_intel
2242 150516 1684 0 0 8112 0 crc32-pclmul crc32_pclmul
1008 43800 22404 0 0 8068 8105 crc32c-intel crc32c_intel
2565 179734 4286 0 0 7791 8027 crct10dif-pclmul crct10dif_pclmul
1603 77112 2414 0 0 8132 0 nhpoly1305-avx2 nhpoly1305_avx2
1671 81108 9390 203776 199 8109 0 nhpoly1305-sse2 nhpoly1305_sse2
1977 103598 5314 0 0 8112 0 poly1305-simd poly1305_x86_64
26744 1251756 2046 0 0 8096 0 polyval-clmulni polyval_clmulni
14669 682428 65462 30720 30 251 8096 sha1-avx sha1_ssse3
14669 682428 65462 0 0 7170 0 sha1-avx2 sha1_ssse3
14669 682428 65462 34816 34 0 0 sha1-shani sha1_ssse3
14669 682428 65462 26624 26 8089 8164 sha1-ssse3 sha1_ssse3
26768 1230100 144902 11264 11 8130 8159 sha224-avx sha256_ssse3
26768 1230100 144902 13312 13 8078 8146 sha224-avx2 sha256_ssse3
26768 1230100 144902 13312 13 0 0 sha224-shani sha256_ssse3
26768 1230100 144902 11264 11 8068 8168 sha224-ssse3 sha256_ssse3
26768 1230100 144902 11264 11 8130 8159 sha256-avx sha256_ssse3
26768 1230100 144902 13312 13 8078 8146 sha256-avx2 sha256_ssse3
26768 1230100 144902 13312 13 0 0 sha256-shani sha256_ssse3
26768 1230100 144902 11264 11 8068 8168 sha256-ssse3 sha256_ssse3
29157 2044882 164510724 17408 17 0 8127 sha384-avx sha512_ssse3
29157 2044882 164510724 0 0 0 48175432 sha384-avx2 sha512_ssse3
29157 2044882 164510724 17408 17 0 8055 sha384-ssse3 sha512_ssse3
29157 2044882 164510724 17408 17 0 8127 sha512-avx sha512_ssse3
29157 2044882 164510724 0 0 0 48175432 sha512-avx2 sha512_ssse3
29157 2044882 164510724 17408 17 0 8055 sha512-ssse3 sha512_ssse3
4314 193456 124918 0 0 7672 8101 sm3-avx sm3_avx_x86_64

The self-tests only test small data sets (even the extra tests
limit themselves to PAGE_SIZE * 2) so only the sha512_ssse3
module was stressed with large requests.

The cost of the kernel_fpu_begin()/end() calls (2044882 cycles) was
929 us, and the longest time in FPU context (164510724) was 75 ms.
I think the biggest file it encounters is:
-rw-r--r--. 1 root root 48186713 Nov 1 13:14 /lib/modules/6.0.0+/kernel/fs/xfs/xfs.ko

I added tcrypt tests to exercise each driver ten times with 1 MiB data,
and that exposes all the drivers to larger requests.

bigbuf tests with no limits:
calls cost maxcycles bpf KiB maxlen maxlen2 algorithm module
======== =========== ============ ======== ==== ======== ======== ======================== ============================
1000 156354 1484434 0 0 1048576 0 __ghash-pclmulqdqni ghash_clmulni_intel
1000 150386 221710 0 0 1048576 0 crc32-pclmul crc32_pclmul
1000 104890 114000 0 0 1048576 0 crc32c-intel crc32c_intel
1000 169596 182904 0 0 1048576 0 crct10dif-pclmul crct10dif_pclmul
1000 122842 267568 0 0 1048576 0 nhpoly1305-avx2 nhpoly1305_avx2
1000 190530 453118 0 0 1048576 0 nhpoly1305-sse2 nhpoly1305_sse2
1000 134682 431264 0 0 1048576 0 poly1305-simd poly1305_x86_64
8000 387206 215922 0 0 1048576 0 polyval-clmulni polyval_clmulni
6000 562932 2831190 0 0 1048576 0 sha1-avx sha1_ssse3
6000 562932 2831190 0 0 1048576 0 sha1-avx2 sha1_ssse3
6000 562932 2831190 34816 34 0 0 sha1-shani sha1_ssse3
6000 562932 2831190 0 0 1048576 0 sha1-ssse3 sha1_ssse3
12000 1212742 6558712 0 0 1048576 0 sha224-avx sha256_ssse3
12000 1212742 6558712 0 0 1048576 0 sha224-avx2 sha256_ssse3
12000 1212742 6558712 13312 13 0 0 sha224-shani sha256_ssse3
12000 1212742 6558712 0 0 1048576 0 sha224-ssse3 sha256_ssse3
12000 1212742 6558712 0 0 1048576 0 sha256-avx sha256_ssse3
12000 1212742 6558712 0 0 1048576 0 sha256-avx2 sha256_ssse3
12000 1212742 6558712 13312 13 0 0 sha256-shani sha256_ssse3
12000 1212742 6558712 0 0 1048576 0 sha256-ssse3 sha256_ssse3
12006 1250296 4621038 0 0 1048576 0 sha384-avx sha512_ssse3
12006 1250296 4621038 0 0 1048576 1037416 sha384-avx2 sha512_ssse3
12006 1250296 4621038 0 0 1048576 0 sha384-ssse3 sha512_ssse3
12006 1250296 4621038 0 0 1048576 0 sha512-avx sha512_ssse3
12006 1250296 4621038 0 0 1048576 1037416 sha512-avx2 sha512_ssse3
12006 1250296 4621038 0 0 1048576 0 sha512-ssse3 sha512_ssse3
2000 221468 6236756 0 0 1048576 0 sm3-avx sm3_avx_x86_64

Setting bpf limits based on those results narrows the maxcycles in
FPU context. I've seen results vary from 81912 (37 us) to
(102 us) - not real tight, but much better than ranging up
to 75 ms.

bigbuf tests with bytes_per_fpu limits as shown:
calls cost maxcycles bpf KiB maxlen maxlen2 algorithm module
======== =========== ============ ======== ==== ======== ======== ======================== ============================
21000 1002372 138558 51200 50 51200 0 __ghash-pclmulqdqni ghash_clmulni_intel
2000 220666 226806 646912 631 646912 0 crc32-pclmul crc32_pclmul
2000 255110 105968 895232 874 895232 0 crc32c-intel crc32c_intel
2000 218942 107930 626944 612 626944 0 crct10dif-pclmul crct10dif_pclmul
4000 208170 141356 345088 337 345088 0 nhpoly1305-avx2 nhpoly1305_avx2
6000 285286 105072 203520 198 203520 0 nhpoly1305-sse2 nhpoly1305_sse2
5000 368866 162262 222976 217 222976 0 poly1305-simd poly1305_x86_64
10000 457010 142362 402688 393 402688 0 polyval-clmulni polyval_clmulni
108000 6048076 160670 30720 30 30720 0 sha1-avx sha1_ssse3
108000 6048076 160670 34816 34 34816 0 sha1-avx2 sha1_ssse3
108000 6048076 160670 27392 26 27392 0 sha1-ssse3 sha1_ssse3
520000 23646576 196462 11520 11 11520 0 sha224-avx sha256_ssse3
520000 23646576 196462 14080 13 14080 0 sha224-avx2 sha256_ssse3
520000 23646576 196462 11776 11 11776 0 sha224-ssse3 sha256_ssse3
520000 23646576 196462 11520 11 11520 0 sha256-avx sha256_ssse3
520000 23646576 196462 14080 13 14080 0 sha256-avx2 sha256_ssse3
520000 23646576 196462 11776 11 11776 0 sha256-ssse3 sha256_ssse3
356156 18242860 226538 17152 16 17152 0 sha384-avx sha512_ssse3
356156 18242860 226538 20480 20 20480 20480 sha384-avx2 sha512_ssse3
356156 18242860 226538 17408 17 17408 0 sha384-ssse3 sha512_ssse3
356156 18242860 226538 17152 16 17152 0 sha512-avx sha512_ssse3
356156 18242860 226538 20480 20 20480 20480 sha512-avx2 sha512_ssse3
356156 18242860 226538 17408 17 17408 0 sha512-ssse3 sha512_ssse3
93000 4537164 138924 11520 11 11520 0 sm3-avx sm3_avx_x86_64

If I reboot with sha512-avx2 set to 20 KiB, the sha512-avx2
maxlength can still take a long time (e.g., 2 ms). That's much
better than the original 75 ms, but still not in the 50 us range.

I set /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor to
"performance" in .bash_profile, but that's not effective during
boot, so maybe that is the source of variability.

Example boot with 20 KiB limit:
calls cost maxcycles bpf KiB maxlen maxlen2 algorithm module
======== =========== ============ ======== ==== ======== ======== ======================== ============================
161011 16232280 4049644 20480 20 0 20480 sha512-avx2 sha512_ssse3

Limiting it to 1 KiB does reduce maxcycles to the us range, but
the cost of all the extra calls soars.

So, for v3 of the series, I plan to propose values ranging from:
- 11 to 20 KiB for sha* amd sm3
- 200 to 400 Kib for *poly*
- 600 to 800 KiB for crc*

v3 will only cover the hash functions - skcipher and aead
have some unique challenges that we can tackle later.

2022-11-03 04:30:36

by Elliott, Robert (Servers)

[permalink] [raw]

Subject: [PATCH v3 00/17] crypt: x86 - fix RCU stalls

2022-11-03 04:30:36

by Elliott, Robert (Servers)

[permalink] [raw]

Subject: [PATCH v3 05/17] crypto: x86/crc - limit FPU preemption

Limit the number of bytes processed between kernel_fpu_begin() and
kernel_fpu_end() calls.

Those functions call preempt_disable() and preempt_enable(), so
the CPU core is unavailable for scheduling while running, leading to:
rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: ...

Fixes: 78c37d191dd6 ("crypto: crc32 - add crc32 pclmulqdq implementation and wrappers for table implementation")
Fixes: 6a8ce1ef3940 ("crypto: crc32c - Optimize CRC32C calculation with PCLMULQDQ instruction")
Fixes: 0b95a7f85718 ("crypto: crct10dif - Glue code to cast accelerated CRCT10DIF assembly as a crypto transform")
Suggested-by: Herbert Xu <[email protected]>
Signed-off-by: Robert Elliott <[email protected]>

---
v3 use while loops and static int, simplify one of the loop structures,
add algorithm-specific limits, use local stack variable in crc32 finup
rather than the context pointer like update uses
---
arch/x86/crypto/crc32-pclmul_asm.S | 6 +--
arch/x86/crypto/crc32-pclmul_glue.c | 27 +++++++++----
arch/x86/crypto/crc32c-intel_glue.c | 52 ++++++++++++++++++-------
arch/x86/crypto/crct10dif-pclmul_glue.c | 48 +++++++++++++++++------
4 files changed, 99 insertions(+), 34 deletions(-)

diff --git a/arch/x86/crypto/crc32-pclmul_asm.S b/arch/x86/crypto/crc32-pclmul_asm.S
index ca53e96996ac..9abd861636c3 100644
--- a/arch/x86/crypto/crc32-pclmul_asm.S
+++ b/arch/x86/crypto/crc32-pclmul_asm.S
@@ -72,15 +72,15 @@
.text
/**
* Calculate crc32
- * BUF - buffer (16 bytes aligned)
- * LEN - sizeof buffer (16 bytes aligned), LEN should be grater than 63
+ * BUF - buffer - must be 16 bytes aligned
+ * LEN - sizeof buffer - must be multiple of 16 bytes and greater than 63
* CRC - initial crc32
* return %eax crc32
* uint crc32_pclmul_le_16(unsigned char const *buffer,
* size_t len, uint crc32)
*/

-SYM_FUNC_START(crc32_pclmul_le_16) /* buffer and buffer size are 16 bytes aligned */
+SYM_FUNC_START(crc32_pclmul_le_16)
movdqa (BUF), %xmm1
movdqa 0x10(BUF), %xmm2
movdqa 0x20(BUF), %xmm3
diff --git a/arch/x86/crypto/crc32-pclmul_glue.c b/arch/x86/crypto/crc32-pclmul_glue.c
index 98cf3b4e4c9f..df3dbc754818 100644
--- a/arch/x86/crypto/crc32-pclmul_glue.c
+++ b/arch/x86/crypto/crc32-pclmul_glue.c
@@ -46,6 +46,9 @@
#define SCALE_F 16L /* size of xmm register */
#define SCALE_F_MASK (SCALE_F - 1)

+/* avoid kernel_fpu_begin/end scheduler/rcu stalls */
+static const unsigned int bytes_per_fpu = 655 * 1024;
+
u32 crc32_pclmul_le_16(unsigned char const *buffer, size_t len, u32 crc32);

static u32 __attribute__((pure))
@@ -55,6 +58,9 @@ static u32 __attribute__((pure))
unsigned int iremainder;
unsigned int prealign;

+ BUILD_BUG_ON(bytes_per_fpu < PCLMUL_MIN_LEN);
+ BUILD_BUG_ON(bytes_per_fpu & SCALE_F_MASK);
+
if (len < PCLMUL_MIN_LEN + SCALE_F_MASK || !crypto_simd_usable())
return crc32_le(crc, p, len);

@@ -70,12 +76,19 @@ static u32 __attribute__((pure))
iquotient = len & (~SCALE_F_MASK);
iremainder = len & SCALE_F_MASK;

- kernel_fpu_begin();
- crc = crc32_pclmul_le_16(p, iquotient, crc);
- kernel_fpu_end();
+ while (iquotient >= PCLMUL_MIN_LEN) {
+ unsigned int chunk = min(iquotient, bytes_per_fpu);
+
+ kernel_fpu_begin();
+ crc = crc32_pclmul_le_16(p, chunk, crc);
+ kernel_fpu_end();
+
+ iquotient -= chunk;
+ p += chunk;
+ }

- if (iremainder)
- crc = crc32_le(crc, p + iquotient, iremainder);
+ if (iquotient || iremainder)
+ crc = crc32_le(crc, p, iquotient + iremainder);

return crc;
}
@@ -120,8 +133,8 @@ static int crc32_pclmul_update(struct shash_desc *desc, const u8 *data,
}

/* No final XOR 0xFFFFFFFF, like crc32_le */
-static int __crc32_pclmul_finup(u32 *crcp, const u8 *data, unsigned int len,
- u8 *out)
+static int __crc32_pclmul_finup(const u32 *crcp, const u8 *data,
+ unsigned int len, u8 *out)
{
*(__le32 *)out = cpu_to_le32(crc32_pclmul_le(*crcp, data, len));
return 0;
diff --git a/arch/x86/crypto/crc32c-intel_glue.c b/arch/x86/crypto/crc32c-intel_glue.c
index feccb5254c7e..f08ed68ec93d 100644
--- a/arch/x86/crypto/crc32c-intel_glue.c
+++ b/arch/x86/crypto/crc32c-intel_glue.c
@@ -45,7 +45,10 @@ asmlinkage unsigned int crc_pcl(const u8 *buffer, int len,
unsigned int crc_init);
#endif /* CONFIG_X86_64 */

-static u32 crc32c_intel_le_hw_byte(u32 crc, unsigned char const *data, size_t length)
+/* avoid kernel_fpu_begin/end scheduler/rcu stalls */
+static const unsigned int bytes_per_fpu = 868 * 1024;
+
+static u32 crc32c_intel_le_hw_byte(u32 crc, const unsigned char *data, size_t length)
{
while (length--) {
asm("crc32b %1, %0"
@@ -56,7 +59,7 @@ static u32 crc32c_intel_le_hw_byte(u32 crc, unsigned char const *data, size_t le
return crc;
}

-static u32 __pure crc32c_intel_le_hw(u32 crc, unsigned char const *p, size_t len)
+static u32 __pure crc32c_intel_le_hw(u32 crc, const unsigned char *p, size_t len)
{
unsigned int iquotient = len / SCALE_F;
unsigned int iremainder = len % SCALE_F;
@@ -110,8 +113,8 @@ static int crc32c_intel_update(struct shash_desc *desc, const u8 *data,
return 0;
}

-static int __crc32c_intel_finup(u32 *crcp, const u8 *data, unsigned int len,
- u8 *out)
+static int __crc32c_intel_finup(const u32 *crcp, const u8 *data,
+ unsigned int len, u8 *out)
{
*(__le32 *)out = ~cpu_to_le32(crc32c_intel_le_hw(*crcp, data, len));
return 0;
@@ -153,29 +156,52 @@ static int crc32c_pcl_intel_update(struct shash_desc *desc, const u8 *data,
{
u32 *crcp = shash_desc_ctx(desc);

+ BUILD_BUG_ON(bytes_per_fpu < CRC32C_PCL_BREAKEVEN);
+ BUILD_BUG_ON(bytes_per_fpu % SCALE_F);
+
/*
* use faster PCL version if datasize is large enough to
* overcome kernel fpu state save/restore overhead
*/
if (len >= CRC32C_PCL_BREAKEVEN && crypto_simd_usable()) {
- kernel_fpu_begin();
- *crcp = crc_pcl(data, len, *crcp);
- kernel_fpu_end();
+ while (len) {
+ unsigned int chunk = min(len, bytes_per_fpu);
+
+ kernel_fpu_begin();
+ *crcp = crc_pcl(data, chunk, *crcp);
+ kernel_fpu_end();
+
+ len -= chunk;
+ data += chunk;
+ }
} else
*crcp = crc32c_intel_le_hw(*crcp, data, len);
return 0;
}

-static int __crc32c_pcl_intel_finup(u32 *crcp, const u8 *data, unsigned int len,
- u8 *out)
+static int __crc32c_pcl_intel_finup(const u32 *crcp, const u8 *data,
+ unsigned int len, u8 *out)
{
+ u32 crc = *crcp;
+
+ BUILD_BUG_ON(bytes_per_fpu < CRC32C_PCL_BREAKEVEN);
+ BUILD_BUG_ON(bytes_per_fpu % SCALE_F);
+
if (len >= CRC32C_PCL_BREAKEVEN && crypto_simd_usable()) {
- kernel_fpu_begin();
- *(__le32 *)out = ~cpu_to_le32(crc_pcl(data, len, *crcp));
- kernel_fpu_end();
+ while (len) {
+ unsigned int chunk = min(len, bytes_per_fpu);
+
+ kernel_fpu_begin();
+ crc = crc_pcl(data, chunk, crc);
+ kernel_fpu_end();
+
+ len -= chunk;
+ data += chunk;
+ }
+ *(__le32 *)out = ~cpu_to_le32(crc);
} else
*(__le32 *)out =
- ~cpu_to_le32(crc32c_intel_le_hw(*crcp, data, len));
+ ~cpu_to_le32(crc32c_intel_le_hw(crc, data, len));
return 0;
}

diff --git a/arch/x86/crypto/crct10dif-pclmul_glue.c b/arch/x86/crypto/crct10dif-pclmul_glue.c
index 71291d5af9f4..4f6b8c727d88 100644
--- a/arch/x86/crypto/crct10dif-pclmul_glue.c
+++ b/arch/x86/crypto/crct10dif-pclmul_glue.c
@@ -34,6 +34,11 @@
#include <asm/cpu_device_id.h>
#include <asm/simd.h>

+#define PCLMUL_MIN_LEN 16U /* minimum size of buffer for crc_t10dif_pcl */
+
+/* avoid kernel_fpu_begin/end scheduler/rcu stalls */
+static const unsigned int bytes_per_fpu = 614 * 1024;
+
asmlinkage u16 crc_t10dif_pcl(u16 init_crc, const u8 *buf, size_t len);

struct chksum_desc_ctx {
@@ -54,11 +59,21 @@ static int chksum_update(struct shash_desc *desc, const u8 *data,
{
struct chksum_desc_ctx *ctx = shash_desc_ctx(desc);

- if (length >= 16 && crypto_simd_usable()) {
- kernel_fpu_begin();
- ctx->crc = crc_t10dif_pcl(ctx->crc, data, length);
- kernel_fpu_end();
- } else
+ BUILD_BUG_ON(bytes_per_fpu < PCLMUL_MIN_LEN);
+
+ if (length >= PCLMUL_MIN_LEN && crypto_simd_usable()) {
+ while (length >= PCLMUL_MIN_LEN) {
+ unsigned int chunk = min(length, bytes_per_fpu);
+
+ kernel_fpu_begin();
+ ctx->crc = crc_t10dif_pcl(ctx->crc, data, chunk);
+ kernel_fpu_end();
+
+ length -= chunk;
+ data += chunk;
+ }
+ }
+ if (length)
ctx->crc = crc_t10dif_generic(ctx->crc, data, length);
return 0;
}
@@ -73,12 +88,23 @@ static int chksum_final(struct shash_desc *desc, u8 *out)

static int __chksum_finup(__u16 crc, const u8 *data, unsigned int len, u8 *out)
{
- if (len >= 16 && crypto_simd_usable()) {
- kernel_fpu_begin();
- *(__u16 *)out = crc_t10dif_pcl(crc, data, len);
- kernel_fpu_end();
- } else
- *(__u16 *)out = crc_t10dif_generic(crc, data, len);
+ BUILD_BUG_ON(bytes_per_fpu < PCLMUL_MIN_LEN);
+
+ if (len >= PCLMUL_MIN_LEN && crypto_simd_usable()) {
+ while (len >= PCLMUL_MIN_LEN) {
+ unsigned int chunk = min(len, bytes_per_fpu);
+
+ kernel_fpu_begin();
+ crc = crc_t10dif_pcl(crc, data, chunk);
+ kernel_fpu_end();
+
+ len -= chunk;
+ data += chunk;
+ }
+ }
+ if (len)
+ crc = crc_t10dif_generic(crc, data, len);
+ *(__u16 *)out = crc;
return 0;
}

--
2.37.3

2022-11-03 04:30:39

by Elliott, Robert (Servers)

[permalink] [raw]

Subject: [PATCH v3 02/17] crypto: tcrypt - test nhpoly1305

2022-11-03 04:30:42

by Elliott, Robert (Servers)

[permalink] [raw]

Hi Robert,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on v6.1-rc2]
[also build test WARNING on next-20221103]
[cannot apply to herbert-cryptodev-2.6/master herbert-crypto-2.6/master crng-random/master linus/master v6.1-rc3]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url: https://github.com/intel-lab-lkp/linux/commits/Robert-Elliott/crypto-tcrypt-test-crc32/20221103-132823
patch link: https://lore.kernel.org/r/20221103042740.6556-12-elliott%40hpe.com
patch subject: [PATCH v3 11/17] crypto: x86/sha - register all variations
config: x86_64-allyesconfig
compiler: gcc-11 (Debian 11.3.0-8) 11.3.0
reproduce (this is a W=1 build):
# https://github.com/intel-lab-lkp/linux/commit/70c392540055e5e494696b9f4fb6db52f2b6574c
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Robert-Elliott/crypto-tcrypt-test-crc32/20221103-132823
git checkout 70c392540055e5e494696b9f4fb6db52f2b6574c
# save the config file
mkdir build_dir && cp config build_dir/.config
make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash arch/x86/crypto/

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <[email protected]>

All warnings (new ones prefixed by >>):

arch/x86/crypto/sha1_ssse3_glue.c: In function 'sha1_ssse3_mod_init':
>> arch/x86/crypto/sha1_ssse3_glue.c:302:21: warning: variable 'driver_name' set but not used [-Wunused-but-set-variable]
302 | const char *driver_name = NULL;
| ^~~~~~~~~~~
--
arch/x86/crypto/sha256_ssse3_glue.c: In function 'sha256_ssse3_mod_init':
>> arch/x86/crypto/sha256_ssse3_glue.c:365:21: warning: variable 'driver_name2' set but not used [-Wunused-but-set-variable]
365 | const char *driver_name2 = NULL;
| ^~~~~~~~~~~~
>> arch/x86/crypto/sha256_ssse3_glue.c:364:21: warning: variable 'driver_name' set but not used [-Wunused-but-set-variable]
364 | const char *driver_name = NULL;
| ^~~~~~~~~~~
--
arch/x86/crypto/sha512_ssse3_glue.c: In function 'sha512_ssse3_mod_init':
>> arch/x86/crypto/sha512_ssse3_glue.c:304:21: warning: variable 'driver_name2' set but not used [-Wunused-but-set-variable]
304 | const char *driver_name2 = NULL;
| ^~~~~~~~~~~~
>> arch/x86/crypto/sha512_ssse3_glue.c:303:21: warning: variable 'driver_name' set but not used [-Wunused-but-set-variable]
303 | const char *driver_name = NULL;
| ^~~~~~~~~~~

vim +/driver_name +302 arch/x86/crypto/sha1_ssse3_glue.c

298
299 static int __init sha1_ssse3_mod_init(void)
300 {
301 const char *feature_name;
> 302 const char *driver_name = NULL;
303 int ret;
304

--
0-DAY CI Kernel Test Service
https://01.org/lkp

Attachments:

(No filename) (3.09 kB)
config (297.60 kB)
Download all attachments

2022-11-10 22:18:05

by Elliott, Robert (Servers)

[permalink] [raw]

Subject: RE: [PATCH v2 18/19] crypto: x86 - standardize not loaded prints

> The positive messages about which optional features are
> engaged could be reported as read-only module parameters.

I've experimented with this approach.

There are two constructions for the modules:
1. modules that enable different behavior in the drivers
(e.g., aesni_intel enabling avx or avx2 within each driver)

I named these parameters "engaged_<feature>"

2. modules that register separate drivers for different behavior
(e.g., sha1 registering separate drivers for avx2, avx, and ssse3)

I named these parameters "registered_<feature>"

It looks like this:

$ grep -Hs . /sys/module/*/parameters/engaged*
/sys/module/aesni_intel/parameters/engaged_avx:1
/sys/module/aesni_intel/parameters/engaged_avx2:1
/sys/module/aria_aesni_avx_x86_64/parameters/engaged_gfni:0
/sys/module/chacha_x86_64/parameters/engaged_avx2:1
/sys/module/chacha_x86_64/parameters/engaged_avx512:1
/sys/module/crc32c_intel/parameters/engaged_pclmulqdq:1
/sys/module/curve25519_x86_64/parameters/engaged_adx:1
/sys/module/libblake2s_x86_64/parameters/engaged_avx512:1
/sys/module/libblake2s_x86_64/parameters/engaged_ssse3:1
/sys/module/poly1305_x86_64/parameters/engaged_avx:1
/sys/module/poly1305_x86_64/parameters/engaged_avx2:1
/sys/module/poly1305_x86_64/parameters/engaged_avx512:0

with modinfo descriptions like:
parm: engaged_avx2:Using x86 instruction set extensions: AVX2 (for GCM mode) (int)
parm: engaged_avx:Using x86 instruction set extensions: AVX (for CTR and GCM modes) (int)

$ grep -Hs . /sys/module/*/parameters/registered*
/sys/module/sha1_ssse3/parameters/registered_avx:1
/sys/module/sha1_ssse3/parameters/registered_avx2:1
/sys/module/sha1_ssse3/parameters/registered_shani:0
/sys/module/sha1_ssse3/parameters/registered_ssse3:1
/sys/module/sha256_ssse3/parameters/registered_avx:1
/sys/module/sha256_ssse3/parameters/registered_avx2:1
/sys/module/sha256_ssse3/parameters/registered_shani:0
/sys/module/sha256_ssse3/parameters/registered_ssse3:1
/sys/module/sha512_ssse3/parameters/registered_avx:1
/sys/module/sha512_ssse3/parameters/registered_avx2:1
/sys/module/sha512_ssse3/parameters/registered_ssse3:1

with modinfo descriptions like:
parm: registered_shani:Registered crypto driver using x86 instruction set extensions: SHA-NI (int)
parm: registered_ssse3:Registered crypto driver using x86 instruction set extensions: SSSE3 (int)
parm: registered_avx:Registered crypto driver using x86 instruction set extensions: AVX (int)
parm: registered_avx2:Registered crypto driver using x86 instruction set extensions: AVX2 (int)

That would eliminate these prints in aesni_intel, so all the
modules load silently (but you can figure out what they're
doing if needed).

pr_info("AVX2 version of gcm_enc/dec engaged.\n");
pr_info("AVX version of gcm_enc/dec engaged.\n");
pr_info("SSE version of gcm_enc/dec engaged.\n");
pr_info("AES CTR mode by8 optimization enabled\n");

2022-11-16 04:16:00

by Elliott, Robert (Servers)

[permalink] [raw]

Subject: [PATCH v4 00/24] crypto: fix RCU stalls

This series fixes the RCU stalls triggered by the x86 crypto
modules discussed in
https://lore.kernel.org/all/MW5PR84MB18426EBBA3303770A8BC0BDFAB759@MW5PR84MB1842.NAMPRD84.PROD.OUTLOOK.COM/

Two root causes were:
- too much data processed between kernel_fpu_begin and
kernel_fpu_end calls (which are heavily used by the x86
optimized drivers)
- tcrypt not calling cond_resched during speed test loops

These problems have always been lurking, but improving the
loading of the x86/sha512 module led to it happening a lot
during boot when using SHA-512 for module signature checking.

Fixing these problems makes it safer to improve loading
the rest of the x86 modules like the sha512 module.

This series only handles the x86 modules.

Version 4 tackles lingering comments from version 2.

1. Unlike the hash functions, skcipher and aead functions
accept pointers to scatter-gather lists, and the helper
functions that walk through those lists limit processing
to a page size at a time.

The aegis module did everything inside one pair of
kernel_fpu_begin() and kernel_fpu_end() calls including
walking through the sglist, so it could preempt the CPU
without constraint.

The aesni aead functions for gcm process the additional
data (data that is included in the authentication tag
calculation but not encrypted) in one FPU context, so
that can be a problem. This will require some asm changes
to fix. However, I don't think that is a typical use case,
so this series defers fixing that.

The series adds device table matching for all the x86
crypto modules.

2. I replaced all the positive and negative prints with
module parameters, including enough clues in modinfo
descriptions that a user can determine what is
working and not working.

Robert Elliott (24):
crypto: tcrypt - test crc32
crypto: tcrypt - test nhpoly1305
crypto: tcrypt - reschedule during cycles speed tests
crypto: x86/sha - limit FPU preemption
crypto: x86/crc - limit FPU preemption
crypto: x86/sm3 - limit FPU preemption
crypto: x86/ghash - use u8 rather than char
crypto: x86/ghash - restructure FPU context saving
crypto: x86/ghash - limit FPU preemption
crypto: x86/poly - limit FPU preemption
crypto: x86/aegis - limit FPU preemption
crypto: x86/sha - register all variations
crypto: x86/sha - minimize time in FPU context
crypto: x86/sha - load based on CPU features
crypto: x86/crc - load based on CPU features
crypto: x86/sm3 - load based on CPU features
crypto: x86/poly - load based on CPU features
crypto: x86/ghash - load based on CPU features
crypto: x86/aesni - avoid type conversions
crypto: x86/ciphers - load based on CPU features
crypto: x86 - report used CPU features via module parameters
crypto: x86 - report missing CPU features via module parameters
crypto: x86 - report suboptimal CPUs via module parameters
crypto: x86 - standarize module descriptions

arch/x86/crypto/aegis128-aesni-glue.c | 66 +++--
arch/x86/crypto/aesni-intel_glue.c | 45 ++--
arch/x86/crypto/aria_aesni_avx_glue.c | 43 ++-
arch/x86/crypto/blake2s-glue.c | 18 +-
arch/x86/crypto/blowfish_glue.c | 39 ++-
arch/x86/crypto/camellia_aesni_avx2_glue.c | 40 ++-
arch/x86/crypto/camellia_aesni_avx_glue.c | 38 ++-
arch/x86/crypto/camellia_glue.c | 37 ++-
arch/x86/crypto/cast5_avx_glue.c | 30 ++-
arch/x86/crypto/cast6_avx_glue.c | 30 ++-
arch/x86/crypto/chacha_glue.c | 18 +-
arch/x86/crypto/crc32-pclmul_asm.S | 6 +-
arch/x86/crypto/crc32-pclmul_glue.c | 39 ++-
arch/x86/crypto/crc32c-intel_glue.c | 66 +++--
arch/x86/crypto/crct10dif-pclmul_glue.c | 56 ++--
arch/x86/crypto/curve25519-x86_64.c | 29 +-
arch/x86/crypto/des3_ede_glue.c | 36 ++-
arch/x86/crypto/ghash-clmulni-intel_asm.S | 4 +-
arch/x86/crypto/ghash-clmulni-intel_glue.c | 45 ++--
arch/x86/crypto/nhpoly1305-avx2-glue.c | 36 ++-
arch/x86/crypto/nhpoly1305-sse2-glue.c | 22 +-
arch/x86/crypto/poly1305_glue.c | 56 +++-
arch/x86/crypto/polyval-clmulni_glue.c | 31 ++-
arch/x86/crypto/serpent_avx2_glue.c | 36 ++-
arch/x86/crypto/serpent_avx_glue.c | 31 ++-
arch/x86/crypto/serpent_sse2_glue.c | 13 +-
arch/x86/crypto/sha1_ssse3_glue.c | 298 ++++++++++++++-------
arch/x86/crypto/sha256_ssse3_glue.c | 294 +++++++++++++-------
arch/x86/crypto/sha512_ssse3_glue.c | 205 +++++++++-----
arch/x86/crypto/sm3_avx_glue.c | 70 +++--
arch/x86/crypto/sm4_aesni_avx2_glue.c | 37 ++-
arch/x86/crypto/sm4_aesni_avx_glue.c | 39 ++-
arch/x86/crypto/twofish_avx_glue.c | 29 +-
arch/x86/crypto/twofish_glue.c | 12 +-
arch/x86/crypto/twofish_glue_3way.c | 36 ++-
crypto/aes_ti.c | 2 +-
crypto/blake2b_generic.c | 2 +-
crypto/blowfish_common.c | 2 +-
crypto/crct10dif_generic.c | 2 +-
crypto/curve25519-generic.c | 1 +
crypto/sha256_generic.c | 2 +-
crypto/sha512_generic.c | 2 +-
crypto/sm3.c | 2 +-
crypto/sm4.c | 2 +-
crypto/tcrypt.c | 56 ++--
crypto/twofish_common.c | 2 +-
crypto/twofish_generic.c | 2 +-
47 files changed, 1377 insertions(+), 630 deletions(-)

--
2.38.1

2022-11-16 04:16:03

by Elliott, Robert (Servers)

[permalink] [raw]

Subject: [PATCH v4 17/24] crypto: x86/poly - load based on CPU features

Like commit aa031b8f702e ("crypto: x86/sha512 - load based on CPU
features"), these x86-optimized crypto modules already have
module aliases based on CPU feature bits:
nhpoly1305
poly1305
polyval

Rename the unique device table data structure to a generic name
so the code has the same pattern in all the modules.

Remove the __maybe_unused attribute from polyval since it is
always used.

Signed-off-by: Robert Elliott <[email protected]>

---
v4 Removed CPU feature checks that are unreachable because
the x86_match_cpu call already handles them.

Made poly1305 match on all features since it does provide
an x86_64 asm function if avx, avx2, and avx512f are not
available.

Move polyval into this patch rather than pair with ghash.

Remove __maybe_unused from polyval.
---
arch/x86/crypto/nhpoly1305-avx2-glue.c | 13 +++++++++++--
arch/x86/crypto/nhpoly1305-sse2-glue.c | 9 ++++++++-
arch/x86/crypto/poly1305_glue.c | 10 ++++++++++
arch/x86/crypto/polyval-clmulni_glue.c | 6 +++---
4 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/arch/x86/crypto/nhpoly1305-avx2-glue.c b/arch/x86/crypto/nhpoly1305-avx2-glue.c
index f7dc9c563bb5..fa415fec5793 100644
--- a/arch/x86/crypto/nhpoly1305-avx2-glue.c
+++ b/arch/x86/crypto/nhpoly1305-avx2-glue.c
@@ -11,6 +11,7 @@
#include <crypto/nhpoly1305.h>
#include <linux/module.h>
#include <linux/sizes.h>
+#include <asm/cpu_device_id.h>
#include <asm/simd.h>

/* avoid kernel_fpu_begin/end scheduler/rcu stalls */
@@ -60,10 +61,18 @@ static struct shash_alg nhpoly1305_alg = {
.descsize = sizeof(struct nhpoly1305_state),
};

+static const struct x86_cpu_id module_cpu_ids[] = {
+ X86_MATCH_FEATURE(X86_FEATURE_AVX2, NULL),
+ {}
+};
+MODULE_DEVICE_TABLE(x86cpu, module_cpu_ids);
+
static int __init nhpoly1305_mod_init(void)
{
- if (!boot_cpu_has(X86_FEATURE_AVX2) ||
- !boot_cpu_has(X86_FEATURE_OSXSAVE))
+ if (!x86_match_cpu(module_cpu_ids))
+ return -ENODEV;
+
+ if (!boot_cpu_has(X86_FEATURE_OSXSAVE))
return -ENODEV;

return crypto_register_shash(&nhpoly1305_alg);
diff --git a/arch/x86/crypto/nhpoly1305-sse2-glue.c b/arch/x86/crypto/nhpoly1305-sse2-glue.c
index daffcc7019ad..c47765e46236 100644
--- a/arch/x86/crypto/nhpoly1305-sse2-glue.c
+++ b/arch/x86/crypto/nhpoly1305-sse2-glue.c
@@ -11,6 +11,7 @@
#include <crypto/nhpoly1305.h>
#include <linux/module.h>
#include <linux/sizes.h>
+#include <asm/cpu_device_id.h>
#include <asm/simd.h>

/* avoid kernel_fpu_begin/end scheduler/rcu stalls */
@@ -60,9 +61,15 @@ static struct shash_alg nhpoly1305_alg = {
.descsize = sizeof(struct nhpoly1305_state),
};

+static const struct x86_cpu_id module_cpu_ids[] = {
+ X86_MATCH_FEATURE(X86_FEATURE_XMM2, NULL),
+ {}
+};
+MODULE_DEVICE_TABLE(x86cpu, module_cpu_ids);
+
static int __init nhpoly1305_mod_init(void)
{
- if (!boot_cpu_has(X86_FEATURE_XMM2))
+ if (!x86_match_cpu(module_cpu_ids))
return -ENODEV;

return crypto_register_shash(&nhpoly1305_alg);
diff --git a/arch/x86/crypto/poly1305_glue.c b/arch/x86/crypto/poly1305_glue.c
index 16831c036d71..f1e39e23b2a3 100644
--- a/arch/x86/crypto/poly1305_glue.c
+++ b/arch/x86/crypto/poly1305_glue.c
@@ -12,6 +12,7 @@
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/sizes.h>
+#include <asm/cpu_device_id.h>
#include <asm/intel-family.h>
#include <asm/simd.h>

@@ -268,8 +269,17 @@ static struct shash_alg alg = {
},
};

+static const struct x86_cpu_id module_cpu_ids[] = {
+ X86_MATCH_FEATURE(X86_FEATURE_ANY, NULL),
+ {}
+};
+MODULE_DEVICE_TABLE(x86cpu, module_cpu_ids);
+
static int __init poly1305_simd_mod_init(void)
{
+ if (!x86_match_cpu(module_cpu_ids))
+ return -ENODEV;
+
if (boot_cpu_has(X86_FEATURE_AVX) &&
cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL))
static_branch_enable(&poly1305_use_avx);
diff --git a/arch/x86/crypto/polyval-clmulni_glue.c b/arch/x86/crypto/polyval-clmulni_glue.c
index de1c908f7412..b98e32f8e2a4 100644
--- a/arch/x86/crypto/polyval-clmulni_glue.c
+++ b/arch/x86/crypto/polyval-clmulni_glue.c
@@ -176,15 +176,15 @@ static struct shash_alg polyval_alg = {
},
};

-__maybe_unused static const struct x86_cpu_id pcmul_cpu_id[] = {
+static const struct x86_cpu_id module_cpu_ids[] = {
X86_MATCH_FEATURE(X86_FEATURE_PCLMULQDQ, NULL),
{}
};
-MODULE_DEVICE_TABLE(x86cpu, pcmul_cpu_id);
+MODULE_DEVICE_TABLE(x86cpu, module_cpu_ids);

static int __init polyval_clmulni_mod_init(void)
{
- if (!x86_match_cpu(pcmul_cpu_id))
+ if (!x86_match_cpu(module_cpu_ids))
return -ENODEV;

if (!boot_cpu_has(X86_FEATURE_AVX))
--
2.38.1

2022-11-16 04:16:14

by Elliott, Robert (Servers)

[permalink] [raw]

On Thu, Nov 17, 2022 at 4:14 PM Elliott, Robert (Servers)
<[email protected]> wrote:
> > -----Original Message-----
> > From: Herbert Xu <[email protected]>
> > Sent: Wednesday, November 16, 2022 9:59 PM
> > Subject: Re: [PATCH v4 00/24] crypto: fix RCU stalls
> >
> > On Tue, Nov 15, 2022 at 10:13:18PM -0600, Robert Elliott wrote:
> ...
> > > These problems have always been lurking, but improving the
> > > loading of the x86/sha512 module led to it happening a lot
> > > during boot when using SHA-512 for module signature checking.
> >
> > Can we split this series up please? The fixes to the stalls should
> > stand separately from the changes to how modules are loaded. The
> > latter is more of an improvement while the former should be applied
> > ASAP.
>
> Yes. With the v4 patch numbers:
> [PATCH v4 01/24] crypto: tcrypt - test crc32
> [PATCH v4 02/24] crypto: tcrypt - test nhpoly1305
>
> Those ensure the changes to those hash modules are testable.
>
> [PATCH v4 03/24] crypto: tcrypt - reschedule during cycles speed
>
> That's only for tcrypt so not urgent for users, but pretty
> simple.
>
> [PATCH v4 04/24] crypto: x86/sha - limit FPU preemption
> [PATCH v4 05/24] crypto: x86/crc - limit FPU preemption
> [PATCH v4 06/24] crypto: x86/sm3 - limit FPU preemption
> [PATCH v4 07/24] crypto: x86/ghash - use u8 rather than char
> [PATCH v4 08/24] crypto: x86/ghash - restructure FPU context saving
> [PATCH v4 09/24] crypto: x86/ghash - limit FPU preemption
> [PATCH v4 10/24] crypto: x86/poly - limit FPU preemption
> [PATCH v4 11/24] crypto: x86/aegis - limit FPU preemption
> [PATCH v4 12/24] crypto: x86/sha - register all variations
> [PATCH v4 13/24] crypto: x86/sha - minimize time in FPU context
>
> That's the end of the fixes set.
>
> [PATCH v4 14/24] crypto: x86/sha - load based on CPU features
> [PATCH v4 15/24] crypto: x86/crc - load based on CPU features
> [PATCH v4 16/24] crypto: x86/sm3 - load based on CPU features
> [PATCH v4 17/24] crypto: x86/poly - load based on CPU features
> [PATCH v4 18/24] crypto: x86/ghash - load based on CPU features
> [PATCH v4 19/24] crypto: x86/aesni - avoid type conversions
> [PATCH v4 20/24] crypto: x86/ciphers - load based on CPU features
> [PATCH v4 21/24] crypto: x86 - report used CPU features via module
> [PATCH v4 22/24] crypto: x86 - report missing CPU features via module
> [PATCH v4 23/24] crypto: x86 - report suboptimal CPUs via module
> [PATCH v4 24/24] crypto: x86 - standardize module descriptions
>
> I'll put those in a new series.

Thanks. Please take into account my review feedback this time for your
next series.

Jason

Subject: [RFC PATCH 0/7] crypto: x86 - fix RCU stalls

Subject: [RFC PATCH 1/7] rcu: correct CONFIG_EXT_RCU_CPU_STALL_TIMEOUT descriptions

Subject: [RFC PATCH 3/7] crypto: x86/crc - limit FPU preemption

Subject: [PATCH v2 00/19] crypto: x86 - fix RCU stalls

Subject: [PATCH v2 03/19] crypto: tcrypt - reschedule during cycles speed tests

Subject: [PATCH v2 01/19] crypto: tcrypt - test crc32

Subject: [PATCH v2 09/19] crypto: x86 - use common macro for FPU limit

Subject: [PATCH v2 08/19] crypto: x86/ghash - limit FPU preemption

Subject: [PATCH v2 13/19] crypto: x86/ghash - load based on CPU features

Subject: [PATCH v2 10/19] crypto: x86/sha1, sha256 - load based on CPU features

Subject: [PATCH v2 12/19] crypto: x86/sm3 - load based on CPU features

Subject: [PATCH v2 14/19] crypto: x86 - load based on CPU features

Subject: [PATCH v2 07/19] crypto: x86/ghash - restructure FPU context saving

Subject: [PATCH v2 16/19] crypto: x86 - print CPU optimized loaded messages

Subject: [PATCH v2 11/19] crypto: x86/crc - load based on CPU features

Subject: [PATCH v2 02/19] crypto: tcrypt - test nhpoly1305

Subject: [PATCH v2 19/19] crypto: x86/sha - register only the best function

Subject: [PATCH v2 05/19] crypto: x86/crc - limit FPU preemption

Subject: [PATCH v2 04/19] crypto: x86/sha - limit FPU preemption

Subject: [PATCH v2 15/19] crypto: x86 - add pr_fmt to all modules

Subject: [PATCH v2 18/19] crypto: x86 - standardize not loaded prints

Subject: Re: [PATCH v2 04/19] crypto: x86/sha - limit FPU preemption

Subject: Re: [PATCH v2 16/19] crypto: x86 - print CPU optimized loaded messages

Subject: Re: [PATCH v2 09/19] crypto: x86 - use common macro for FPU limit

Subject: Re: [PATCH v2 05/19] crypto: x86/crc - limit FPU preemption

Subject: Re: [PATCH v2 04/19] crypto: x86/sha - limit FPU preemption

Subject: Re: [PATCH v2 08/19] crypto: x86/ghash - limit FPU preemption

Subject: Re: [PATCH v2 04/19] crypto: x86/sha - limit FPU preemption

Subject: Re: [PATCH v2 19/19] crypto: x86/sha - register only the best function

Subject: Re: [PATCH v2 04/19] crypto: x86/sha - limit FPU preemption

Subject: Re: [PATCH v2 19/19] crypto: x86/sha - register only the best function

Subject: Re: [PATCH v2 04/19] crypto: x86/sha - limit FPU preemption

Subject: Re: [PATCH v2 16/19] crypto: x86 - print CPU optimized loaded messages

Attachments:

Subject: Re: [PATCH v2 16/19] crypto: x86 - print CPU optimized loaded messages

Attachments:

Subject: RE: [PATCH v2 09/19] crypto: x86 - use common macro for FPU limit

Subject: RE: [PATCH v2 18/19] crypto: x86 - standardize not loaded prints

Subject: RE: [PATCH v2 05/19] crypto: x86/crc - limit FPU preemption

Subject: RE: :Re: [PATCH v2 04/19] crypto: x86/sha - limit FPU preemption

Subject: RE: [PATCH v2 08/19] crypto: x86/ghash - limit FPU preemption

Subject: RE: [PATCH v2 19/19] crypto: x86/sha - register only the best function

Subject: Re: [PATCH v2 09/19] crypto: x86 - use common macro for FPU limit

Subject: RE: [PATCH v2 05/19] crypto: x86/crc - limit FPU preemption

Subject: Re: [PATCH v2 19/19] crypto: x86/sha - register only the best function

Subject: RE: [PATCH v2 04/19] crypto: x86/sha - limit FPU preemption

Subject: RE: [PATCH v2 14/19] crypto: x86 - load based on CPU features

Subject: RE: [PATCH v2 09/19] crypto: x86 - use common macro for FPU limit

Subject: Re: [PATCH v2 05/19] crypto: x86/crc - limit FPU preemption

Attachments:

Subject: RE: [PATCH v2 00/19] crypto: x86 - fix RCU stalls

Subject: [PATCH v3 00/17] crypt: x86 - fix RCU stalls

Subject: [PATCH v3 05/17] crypto: x86/crc - limit FPU preemption

Subject: [PATCH v3 02/17] crypto: tcrypt - test nhpoly1305

Subject: [PATCH v3 01/17] crypto: tcrypt - test crc32

Subject: [PATCH v3 08/17] crypto: x86/ghash - restructure FPU context saving

Subject: [PATCH v3 10/17] crypto: x86/*poly* - limit FPU preemption

Subject: [PATCH v3 04/17] crypto: x86/sha - limit FPU preemption

Subject: [PATCH v3 11/17] crypto: x86/sha - register all variations

Subject: [PATCH v3 15/17] crypto: x86/sm3 - load based on CPU features

Subject: [PATCH v3 14/17] crypto: x86/crc - load based on CPU features

Subject: [PATCH v3 17/17] crypto: x86/nhpoly1305, poly1305 - load based on CPU features

Subject: [PATCH v3 16/17] crypto: x86/ghash,polyval - load based on CPU features

Subject: [PATCH v3 07/17] crypto: x86/ghash - use u8 rather than char

Subject: [PATCH v3 13/17] crypto: x86/sha1, sha256 - load based on CPU features

Subject: [PATCH v3 12/17] crypto: x86/sha - minimize time in FPU context

Subject: [PATCH v3 09/17] crypto: x86/ghash - limit FPU preemption

Subject: Re: [PATCH v3 11/17] crypto: x86/sha - register all variations

Attachments:

Subject: RE: [PATCH v2 18/19] crypto: x86 - standardize not loaded prints

Subject: [PATCH v4 00/24] crypto: fix RCU stalls

Subject: [PATCH v4 17/24] crypto: x86/poly - load based on CPU features

Subject: [PATCH v4 07/24] crypto: x86/ghash - use u8 rather than char

Subject: [PATCH v4 05/24] crypto: x86/crc - limit FPU preemption

Subject: [PATCH v4 21/24] crypto: x86 - report used CPU features via module parameters

Subject: [PATCH v4 20/24] crypto: x86/ciphers - load based on CPU features

Subject: [PATCH v4 19/24] crypto: x86/aesni - avoid type conversions

Subject: [PATCH v4 18/24] crypto: x86/ghash - load based on CPU features

Subject: [PATCH v4 23/24] crypto: x86 - report suboptimal CPUs via module parameters

Subject: [PATCH v4 22/24] crypto: x86 - report missing CPU features via module parameters

Subject: [PATCH v3 10/17] crypto: x86/poly - limit FPU preemption