Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp2609500pxp;
        Mon, 14 Mar 2022 00:22:57 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyMwKH/RAi+9XxXG6zmJIWDUzu5yZ/2yqxoQzkY4OwR00jVxOpuyDxKJ/r0iCWwJaoP3xnL
X-Received: by 2002:a17:90a:2d0:b0:1bc:4fc0:6fb7 with SMTP id d16-20020a17090a02d000b001bc4fc06fb7mr24082130pjd.196.1647242577131;
        Mon, 14 Mar 2022 00:22:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1647242577; cv=none;
        d=google.com; s=arc-20160816;
        b=ZV3LC+V+3tIbuZqtB6FmrpMXlA/9NTNO1ntJtytLLZrufLftczpovMwJ5trHlhIcRk
         hA1G+UU1yVlsfJe6GVRYmZ+9IpwyrkREHJhvoSwb7nxyjZwEgXZwyBiT0FEniDw2uUJK
         //gyrbh8bjTOaHnNkeNa2/5yMXYCw3OQmDWsdAtNtVMl4BTxyXavUGJgGg9MCz26GPsT
         naz+cFfHkH8bmmGtF6FFqrwQMR7ipcID9nB9mvPxMvwN58LJIHa+4TD6veWOCSE32+Y6
         a7yYsx/VEiD1t+LsoYHUro/6ToGuhxGeVTmCpI+ajZWql12IwEONMTj1lG5Tn0roXjSj
         CbAQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=lduXrnkF4K9zyGc1RLVWB0WnN6+qmXS3MBXJcwH+LO8=;
        b=Noq0LU0pXzjWVFv529cMKDMC6c2/m+fJcSF6JDNRxjccs3aJueicAQS9sUZmxccXeb
         lPd/GWP6Yj4+KkQfikIrt4/XvYt9KU2n6YqHYx14TQ3M3BwFerl+dJs0cSr9/rzG01Cj
         Bhj/u5SsFIeTBj/qFKisAivY8GpeH97FkiV2l+Wl/x0IOU1l88rChHOi2sRp8AbNSAQy
         7/ea62cFmMp6x+cUD3gKfzIUUNpxKeNEcKuZWsewcGypmHrGFIF1se/rGdHxeFme7FfO
         HUwy/OIrkLOWKqFKdLaeWxTic37teTVf/yUf7F4JK+KHX5ZBB/oddXN5/1AViqxJu725
         yQ+w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@benyossef-com.20210112.gappssmtp.com header.s=20210112 header.b=bguZj7vU;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id o2-20020a170902d4c200b00152fd5078f1si15918209plg.223.2022.03.14.00.22.33;
        Mon, 14 Mar 2022 00:22:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@benyossef-com.20210112.gappssmtp.com header.s=20210112 header.b=bguZj7vU;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234693AbiCMOxj (ORCPT <rfc822;benevolent.opressor@gmail.com>
        + 99 others); Sun, 13 Mar 2022 10:53:39 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36426 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234636AbiCMOxi (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Sun, 13 Mar 2022 10:53:38 -0400
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B353989CD5
        for <linux-crypto@vger.kernel.org>; Sun, 13 Mar 2022 07:52:30 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id g26so26104469ybj.10
        for <linux-crypto@vger.kernel.org>; Sun, 13 Mar 2022 07:52:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=benyossef-com.20210112.gappssmtp.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=lduXrnkF4K9zyGc1RLVWB0WnN6+qmXS3MBXJcwH+LO8=;
        b=bguZj7vUz40UXa0VAZtwXmAgNs/TSPKxJaRnkeGbtGYcLRqnXeQJ5mNefRhkRRE8EZ
         voGsDX/OzrIZ7coKhsfStmL8eFYgiUhOQvzdwKZj/M2EZ10jLKJEhOVcFB+/yX9JtVXN
         xq84GEERo82iFqA/wUYqaG9vNxP3F6IUl7AjsL6kvcj3M18xHQU1BaKVvtOnZEWCEb58
         XEnLR6HRn+BivsJ83SwaK3t46dZvVUXZSxTJ6TqMnJYxhuvRFRqjwL2Rg8k7HY5Ocqxd
         iElgfQnXXCd0FwVkP62MkVWqJ9rRt4xdBHa2fCWLzRcYYtoTJ3VDiYGI/a1510KB5qTH
         WT3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=lduXrnkF4K9zyGc1RLVWB0WnN6+qmXS3MBXJcwH+LO8=;
        b=tFI/UICCnq5HG7zWs4GR46NcAxQE2yHfvoCP1l0dLOOh8JDr3wA/LXwPSU4JROw+uk
         xhbqEeCEtlgBJGQGgJx6w5kiM47Cak2EWZ88p8YlODoX4F0mCuLDuEHJRUDtwSVW3fmM
         Y1jlUk3+y7Cur5DkFb9RLMqpox24Dr/rJFyFpogA7xzyMckieCEtTyPnhsXf+FpMUi4t
         57l3qfvFuWOkbCf6YXLBKltSTgY+yDeBg0/9gzGc+E64Sq1SmYPWnWUXjzhUyLmfu48A
         ZpW5/uPzabMtB8QwPkciY+yMOadIGnXX6Rk9OOcgQj5T0xHS3rLzTvKbTG7VsooO2ISp
         fwyQ==
X-Gm-Message-State: AOAM531qcMaH0YAPkDHZea3xq8kh48H5fBYhqGM46yuVAb2RsxEHZjTU
        89ZtjpV1l5os/k0Gm0nqA2LkGWmizJOPLhcBaJH7aQ==
X-Received: by 2002:a25:7804:0:b0:628:ec4c:989b with SMTP id
 t4-20020a257804000000b00628ec4c989bmr13960359ybc.428.1647183149860; Sun, 13
 Mar 2022 07:52:29 -0700 (PDT)
MIME-Version: 1.0
References: <20220311081909.1661934-1-yoshihiro.shimoda.uh@renesas.com>
In-Reply-To: <20220311081909.1661934-1-yoshihiro.shimoda.uh@renesas.com>
From:   Gilad Ben-Yossef <gilad@benyossef.com>
Date:   Sun, 13 Mar 2022 16:52:20 +0200
Message-ID: <CAOtvUMc67nT_hVJ8C5pnAQfSGSGtae79OJtadgD8wZC3dcNRLA@mail.gmail.com>
Subject: Re: [RFC/PATCH] crypto: ccree - fix a race of enqueue_seq() in send_request_init()
To:     Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Cc:     Herbert Xu <herbert@gondor.apana.org.au>,
        David Miller <davem@davemloft.net>,
        Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
        Linux-Renesas <linux-renesas-soc@vger.kernel.org>,
        Dung Nguyen <dung.nguyen.zy@renesas.com>,
        cristian.marussi@arm.com, Ofir Drang <Ofir.Drang@arm.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

Hi,

On Fri, Mar 11, 2022 at 10:19 AM Yoshihiro Shimoda
<yoshihiro.shimoda.uh@renesas.com> wrote:
>
> From: Dung Nguyen <dung.nguyen.zy@renesas.com>
>
> When loading ccree.ko, after registering cipher algorithm at
> cc_cipher_alloc() and cc_hash_alloc() -> send_request_init() ->
> enqueue_seq() has called to pushing descriptor into HW.
>
> On other hand, if another thread have called to encrypt/decrypt
> cipher (cc_cipher_encrypt/decrypt) -> cc_send_request() ->
> cc_do_send_request() -> enqueue_seq() while send_request_init()
> is running, the thread also has called to pushing descriptor into HW.
> And then, it's possible to overwrite data.
>
> The cc_do_send_request() locks mgr->hw_lock, but send_request_init()
> doesn't lock mgr->hw_lock before enqueue_seq() is called. So,
> send_request_init() should lock mgr->hw_lock before enqueue_seq() is
> called.
>
> This issue is possible to cause the following way in rare cases:
> - CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=3Dn
> - insmod ccree.ko & insmod tcrypt.ko

Thank you very much Dung and Yoshihiro!

This is a very good catch and an issue we have missed indeed.

>
> Signed-off-by: Dung Nguyen <dung.nguyen.zy@renesas.com>
> [shimoda: revise the subject/description]
> Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
> ---
>  I believe we should fix this race. But, as I wrote the desciption
>  above, there is in rare cases. So, I marked this patch as RFC.
>
>  drivers/crypto/ccree/cc_request_mgr.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/drivers/crypto/ccree/cc_request_mgr.c b/drivers/crypto/ccree=
/cc_request_mgr.c
> index 887162df50f9..eef40022258b 100644
> --- a/drivers/crypto/ccree/cc_request_mgr.c
> +++ b/drivers/crypto/ccree/cc_request_mgr.c
> @@ -513,6 +513,7 @@ int send_request_init(struct cc_drvdata *drvdata, str=
uct cc_hw_desc *desc,
>
>         set_queue_last_ind(drvdata, &desc[(len - 1)]);
>
> +       spin_lock_bh(&req_mgr_h->hw_lock);
>         /*
>          * We are about to push command to the HW via the command registe=
rs
>          * that may reference host memory. We need to issue a memory barr=
ier
> @@ -520,6 +521,7 @@ int send_request_init(struct cc_drvdata *drvdata, str=
uct cc_hw_desc *desc,
>          */
>         wmb();
>         enqueue_seq(drvdata, desc, len);
> +       spin_unlock_bh(&req_mgr_h->hw_lock);
>
>         /* Update the free slots in HW queue */
>         req_mgr_h->q_free_slots =3D
> --
> 2.25.1
>

Having said that, adding a lock here is not the best solution. To be
effective, the lock should be taken before the call to
cc_queues_status() and released only after the updating of the free
slots.
However, while doing so will ensure there is no race condition with
regard to writing to the hardware control registers, it does not deal
at all with the case the hardware command FIFO is full due to
encryption/decryption requests.
This is by design, as the whole purpose of a seperate init time only
send_request variant is to avoid these complexities, under the
assumption that all access to the hardware is serialised at init time.

Therefore, a better solution is to switch the order of algo
allocations so that the hash is allocated first, prior to any other
alg that might be using the hardware FIFO and thus guaranteeing
synchronized access and available FIFO space.

Can you please verify that the following patch indeed resolves the
issue for you?

diff --git a/drivers/crypto/ccree/cc_driver.c b/drivers/crypto/ccree/cc_dri=
ver.c
index 790fa9058a36..7d1bee86d581 100644
--- a/drivers/crypto/ccree/cc_driver.c
+++ b/drivers/crypto/ccree/cc_driver.c
@@ -529,24 +529,26 @@ static int init_cc_resources(struct
platform_device *plat_dev)
                goto post_req_mgr_err;
        }

-       /* Allocate crypto algs */
-       rc =3D cc_cipher_alloc(new_drvdata);
+       /* hash must be allocated first due to use of send_request_init()
+        * and dependency of AEAD on it
+        */
+       rc =3D cc_hash_alloc(new_drvdata);
        if (rc) {
-               dev_err(dev, "cc_cipher_alloc failed\n");
+               dev_err(dev, "cc_hash_alloc failed\n");
                goto post_buf_mgr_err;
        }

-       /* hash must be allocated before aead since hash exports APIs */
-       rc =3D cc_hash_alloc(new_drvdata);
+       /* Allocate crypto algs */
+       rc =3D cc_cipher_alloc(new_drvdata);
        if (rc) {
-               dev_err(dev, "cc_hash_alloc failed\n");
-               goto post_cipher_err;
+               dev_err(dev, "cc_cipher_alloc failed\n");
+               goto post_hash_err;
        }

        rc =3D cc_aead_alloc(new_drvdata);
        if (rc) {
                dev_err(dev, "cc_aead_alloc failed\n");
-               goto post_hash_err;
+               goto post_cipher_err;
        }

        /* If we got here and FIPS mode is enabled
@@ -558,10 +560,10 @@ static int init_cc_resources(struct
platform_device *plat_dev)
        pm_runtime_put(dev);
        return 0;

-post_hash_err:
-       cc_hash_free(new_drvdata);
 post_cipher_err:
        cc_cipher_free(new_drvdata);
+post_hash_err:
+       cc_hash_free(new_drvdata);
 post_buf_mgr_err:
         cc_buffer_mgr_fini(new_drvdata);
 post_req_mgr_err:
@@ -593,8 +595,8 @@ static void cleanup_cc_resources(struct
platform_device *plat_dev)
                (struct cc_drvdata *)platform_get_drvdata(plat_dev);


Thanks again!
Gilad

--=20
Gilad Ben-Yossef
Chief Coffee Drinker

values of =CE=B2 will give rise to dom!