Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1160932pxb;
        Fri, 21 Jan 2022 11:08:42 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxKwc5CJETxmRWdA7ZQ5dwylAzza+/4ugFdHL6xJep9axtOzfDPTgniHjd+bT1jOoDLKO1/
X-Received: by 2002:a63:d04d:: with SMTP id s13mr3878243pgi.596.1642792122282;
        Fri, 21 Jan 2022 11:08:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1642792122; cv=none;
        d=google.com; s=arc-20160816;
        b=UvzYMq54zrE1P04hSj9Io8GKk43fJ5nV02HK8SxCZSr8t7ISv9em7Ua5bo+Yghd4fK
         LqAh0qac0XVKD+wYInfw+xr7K2rekuEWCkc4Zq8h77rbhkE8CkCycFTDfy6GyxKzTGaj
         9MjzXYp2c+UxU25l9DgaVSbpmczEBSZfF2mtsflOsqePby6UE0YZBWtLfouEM/4usBBb
         In1nkgEcYV598MxKIt40FYOnXum/HN3IGX/GDNoFrsqNaB08b2egD/8jDhJNsZG/XJUv
         nweDOr7aL3TxhAD0dRrII6SUplnstxk2JsqC2r6W8z026q6GK/Wa+oWOJucVJpmFByMA
         3msA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:references
         :in-reply-to:mime-version:dkim-signature;
        bh=AB3FPF0PWILNkb7gaXOI95vEqUZ5994CRNrN/w78cI8=;
        b=FO2szXz0W8/wV+y9G3aMpexEgfV/XGns/j7wi8l1o6pe0nrA3FDlwyzZl4wTCEqkEi
         EQdcH+lHkfp057E/jfyK7ayEokBAgVNNjd5rg0QKabJ/0LwPw69QTPA1DSAglel0CYXH
         +7P4BU6BxiPSy8tCQzygAJbHoau9+K/R0coS794KPe6qbsuSZ+e5HYwp1QI1O2ys4QLa
         chzpAtwEUmVfYA/SqiBshxllaeKAlnhHq4FEUz/KlhC33P35cpRBWegOdy2+fhLiFdj/
         7soddkJsi0LHNZMOytpb0LzbUuw1Ma0Srw3WiDvEmF9MjBDAvk8NtN4Cm2w96ZuRRhIq
         C3LQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=pzCb1EEQ;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id 78si3668235pfy.114.2022.01.21.11.08.30;
        Fri, 21 Jan 2022 11:08:42 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=pzCb1EEQ;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229919AbiASKU0 (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Wed, 19 Jan 2022 05:20:26 -0500
Received: from ams.source.kernel.org ([145.40.68.75]:38746 "EHLO
        ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S240254AbiASKUZ (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Wed, 19 Jan 2022 05:20:25 -0500
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 9C95DB81910;
        Wed, 19 Jan 2022 10:20:24 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 05CD4C340E1;
        Wed, 19 Jan 2022 10:20:22 +0000 (UTC)
Authentication-Results: smtp.kernel.org;
        dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="pzCb1EEQ"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105;
        t=1642587621;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=AB3FPF0PWILNkb7gaXOI95vEqUZ5994CRNrN/w78cI8=;
        b=pzCb1EEQcFUzN9yRu8u5sT2Be6L9JiPSihgpKwRzMiqSjjCWSiEyfmKxTsVnURi1V+xo+L
        YcSP0+/S+QLlbBJ/vaM1HactjenuvmSnS2VPJVx/uRGShzP9rIIqslr9C+dwbc0gYNnnIO
        Za0l+EvdKKltVcjNRAPkmnz5FaUv/dg=
Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 72bb5f91 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO);
        Wed, 19 Jan 2022 10:20:21 +0000 (UTC)
Received: by mail-yb1-f182.google.com with SMTP id k31so4307339ybj.4;
        Wed, 19 Jan 2022 02:20:21 -0800 (PST)
X-Gm-Message-State: AOAM530SuiMDY+o7+zPmlgJSMs9uZUYtrXRobW5yGqgtQ9FxaYzlwxgm
        /KmIcApSKG8npy9D0eeOSZ4InIeBovVMT7jzFac=
X-Received: by 2002:a25:bc52:: with SMTP id d18mr9483510ybk.255.1642587619663;
 Wed, 19 Jan 2022 02:20:19 -0800 (PST)
MIME-Version: 1.0
Received: by 2002:a05:7110:209:b0:11c:1b85:d007 with HTTP; Wed, 19 Jan 2022
 02:20:19 -0800 (PST)
In-Reply-To: <CAMj1kXE_6WboUK0VPbTwzTbMNxv8b4XUp7USQUp=YqcCRMTZig@mail.gmail.com>
References: <CAHmME9oX+4Ek81xy0nBOegqABH0xYqyONAqinsu7GZ7AaQaqYQ@mail.gmail.com>
 <20220119100615.5059-1-miles.chen@mediatek.com> <CAMj1kXE_6WboUK0VPbTwzTbMNxv8b4XUp7USQUp=YqcCRMTZig@mail.gmail.com>
From:   "Jason A. Donenfeld" <Jason@zx2c4.com>
Date:   Wed, 19 Jan 2022 11:20:19 +0100
X-Gmail-Original-Message-ID: <CAHmME9o-=q6jT6mF3XsfoA17756YVEWdXGHukP=rxWS1gs5irg@mail.gmail.com>
Message-ID: <CAHmME9o-=q6jT6mF3XsfoA17756YVEWdXGHukP=rxWS1gs5irg@mail.gmail.com>
Subject: Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
To:     Ard Biesheuvel <ardb@kernel.org>
Cc:     Miles Chen <miles.chen@mediatek.com>,
        "David S. Miller" <davem@davemloft.net>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        Linux ARM <linux-arm-kernel@lists.infradead.org>,
        Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        linux-mediatek@lists.infradead.org,
        Matthias Brugger <matthias.bgg@gmail.com>,
        Nathan Chancellor <nathan@kernel.org>,
        Nick Desaulniers <ndesaulniers@google.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On 1/19/22, Ard Biesheuvel <ardb@kernel.org> wrote:
> On Wed, 19 Jan 2022 at 11:06, Miles Chen <miles.chen@mediatek.com> wrote:
>>
>> Hi,
>>
>> >Hi Miles,
>> >
>> >I'm actually not able to reproduce your oops. I'm using vanilla clang
>> >13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
>> >Kernel seems to run fine.
>> >
>> >
>> >Are there other settings that are needed to trigger this? Do you see
>> >it in upstream clang or just the Android fork of clang?
>> >
>> I will try another clang (the previous version I use).
>> I am using Android fork of clang and there is a clang upgrade in this
>> merge.
>>
>
> One thing that could be worth a try is to make __blake2s_update() and
> __blake2s_final() __always_inline rather than just inline, which by
> itself does not appear to be sufficient for the code to get inlined.
> (If it were, the indirect call should have disappeared as well)
>
> Given that indirect calls suck on x86, we should probably apply that
> change in any case, regardless of CFI.
>

Had the same thought at first, but then looking at the original stack
trace, it looks like the __ function is inlined:

[    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
[    0.000000][    T0]  blake2s_update+0x14c/0x178
[    0.000000][    T0]  _extract_entropy+0xf4/0x29c

So that makes me think that the issue really does involve calling
through the weak alias. But why should weak alias calling trigger CFI?
Compiler bug? Some other subtlety we're missing?

Jason