- 08 Feb, 2018 4 commits
-
-
Geert Uytterhoeven authored
Create a new function attribute __optimize, which allows to specify an optimization level on a per-function basis. Signed-off-by:
Geert Uytterhoeven <geert@linux-m68k.org> Acked-by:
Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au>
-
Ard Biesheuvel authored
As reported by kbuild test robot, the optimized SHA3 C implementation compiles to mn10300 code that uses a disproportionate amount of stack space, i.e., crypto/sha3_generic.c: In function 'keccakf': crypto/sha3_generic.c:147:1: warning: the frame size of 1232 bytes is larger than 1024 bytes [-Wframe-larger-than=] As kindly diagnosed by Arnd, this does not only occur when building for the mn10300 architecture (which is what the report was about) but also for h8300, and builds for other 32-bit architectures show an increase in stack space utilization as well. Given that SHA3 operates on 64-bit quantities, and keeps a state matrix of 25 64-bit words, it is not surprising that 32-bit architectures with few general purpose registers are impacted the most by this, and it is therefore reasonable to implement a workaround that distinguishes between 32-bit and 64-bit architectures. Arnd figured out that taking the round calculation out of the loop, and inlining it explicitly but only on 64-bit architectures preserves most of the performance gain achieved by the rewrite, and also gets rid of the excessive use of stack space. Reported-by:
kbuild test robot <fengguang.wu@intel.com> Suggested-by:
Arnd Bergmann <arnd@arndb.de> Signed-off-by:
-
LEROY Christophe authored
Performing the hash of an empty file leads to a kernel Oops [ 44.504600] Unable to handle kernel paging request for data at address 0x0000000c [ 44.512819] Faulting instruction address: 0xc02d2be8 [ 44.524088] Oops: Kernel access of bad area, sig: 11 [#1] [ 44.529171] BE PREEMPT CMPC885 [ 44.532232] CPU: 0 PID: 491 Comm: md5sum Not tainted 4.15.0-rc8-00211-g3a968610b6ea #81 [ 44.540814] NIP: c02d2be8 LR: c02d2984 CTR: 00000000 [ 44.545812] REGS: c6813c90 TRAP: 0300 Not tainted (4.15.0-rc8-00211-g3a968610b6ea) [ 44.554223] MSR: 00009032 <EE,ME,IR,DR,RI> CR: 48222822 XER: 20000000 [ 44.560855] DAR: 0000000c DSISR: c0000000 [ 44.560855] GPR00: c02d28fc c6813d40 c6828000 c646fa40 00000001 00000001 00000001 00000000 [ 44.560855] GPR08: 0000004c 00000000 c000bfcc 00000000 28222822 100280d4 00000000 10020008 [ 44.560855] GPR16: 00000000 00000020 00000000 00000000 10024008 00000000 c646f9f0 c6179a10 [ 44.560855] GPR24: 00000000 00000001 c62f0018 c6179a10 00000000 c6367a30 c62f0000 c646f9c0 [ 44.598542] NIP [c02d2be8] ahash_process_req+0x448/0x700 [ 44.603751] LR [c02d2984] ahash_process_req+0x1e4/0x700 [ 44.608868] Call Trace: [ 44.611329] [c6813d40] [c02d28fc] ahash_process_req+0x15c/0x700 (unreliable) [ 44.618302] [c6813d90] [c02060c4] hash_recvmsg+0x11c/0x210 [ 44.623716] [c6813db0] [c0331354] ___sys_recvmsg+0x98/0x138 [ 44.629226] [c6813eb0] [c03332c0] __sys_recvmsg+0x40/0x84 [ 44.634562] [c6813f10] [c03336c0] SyS_socketcall+0xb8/0x1d4 [ 44.640073] [c6813f40] [c000d1ac] ret_from_syscall+0x0/0x38 [ 44.645530] Instruction dump: [ 44.648465] 38c00001 7f63db78 4e800421 7c791b78 54690ffe 0f090000 80ff0190 2f870000 [ 44.656122] 40befe50 2f990001 409e0210 813f01bc <8129000c> b39e003a 7d29c214 913e003c This patch fixes that Oops by checking if src is NULL. Fixes: 6a1e8d14 ("crypto: talitos - making mapping helpers more generic") Cc: <stable@vger.kernel.org> Signed-off-by:
Christophe Leroy <christophe.leroy@c-s.fr> Signed-off-by:
-
Eric Biggers authored
The SHA-512 multibuffer code keeps track of the number of blocks pending in each lane. The minimum of these values is used to identify the next lane that will be completed. Unused lanes are set to a large number (0xFFFFFFFF) so that they don't affect this calculation. However, it was forgotten to set the lengths to this value in the initial state, where all lanes are unused. As a result it was possible for sha512_mb_mgr_get_comp_job_avx2() to select an unused lane, causing a NULL pointer dereference. Specifically this could happen in the case where ->update() was passed fewer than SHA512_BLOCK_SIZE bytes of data, so it then called sha_complete_job() without having actually submitted any blocks to the multi-buffer code. This hit a NULL pointer dereference if another task happened to have submitted blocks concurrently to the same CPU and the flush timer had not yet expired. Fix this by initializing sha512_mb_mgr->lens correctly. As usual, this bug was found by syzkaller. Fixes: 45691e2d ("crypto: sha512-mb - submit/flush routines for AVX2") Reported-by:
syzbot <syzkaller@googlegroups.com> Cc: <stable@vger.kernel.org> # v4.8+ Signed-off-by:
Eric Biggers <ebiggers@google.com> Signed-off-by:
-
- 25 Jan, 2018 16 commits
-
-
Alexey Khoroshilov authored
If clk_get() fails, device_remove_file() looks inappropriate. The error path, where all crypto_register fail, misses resource deallocations. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by:
Alexey Khoroshilov <khoroshilov@ispras.ru> Reviewed-by:
Jamie Iles <jamie@jamieiles.com> Signed-off-by:
-
Ard Biesheuvel authored
Add a missing symbol export that prevents this code to be built as a module. Also, move the round constant table to the .rodata section, and use a more optimized version of the core transform. Signed-off-by:
-
Ard Biesheuvel authored
Implement the Chinese SM3 secure hash algorithm using the new special instructions that have been introduced as an optional extension in ARMv8.2. Tested-by:
Steve Capper <steve.capper@arm.com> Signed-off-by:
-
Ard Biesheuvel authored
Implement the various flavours of SHA3 using the new optional EOR3/RAX1/XAR/BCAX instructions introduced by ARMv8.2. Tested-by:
-
Ard Biesheuvel authored
All current SHA3 test cases are smaller than the SHA3 block size, which means not all code paths are being exercised. So add a new test case to each variant, and make one of the existing test cases chunked. Signed-off-by:
-
Ard Biesheuvel authored
To allow accelerated implementations to fall back to the generic routines, e.g., in contexts where a SIMD based implementation is not allowed to run, expose the generic SHA3 init/update/final routines to other modules. Signed-off-by:
-
Ard Biesheuvel authored
In preparation of exposing the generic SHA3 implementation to other versions as a fallback, simplify the code, and remove an inconsistency in the output handling (endian swabbing rsizw words of state before writing the output does not make sense) Signed-off-by:
-
Ard Biesheuvel authored
The way the KECCAK transform is currently coded involves many references into the state array using indexes that are calculated at runtime using simple but non-trivial arithmetic. This forces the compiler to treat the state matrix as an array in memory rather than keep it in registers, which results in poor performance. So instead, let's rephrase the algorithm using fixed array indexes only. This helps the compiler keep the state matrix in registers, resulting in the following speedup (SHA3-256 performance in cycles per byte): before after speedup Intel Core i7 @ 2.0 GHz (2.9 turbo) 100.6 35.7 2.8x Cortex-A57 @ 2.0 GHz (64-bit mode) 101.6 12.7 8.0x Cortex-A53 @ 1.0 GHz 224.4 15.8 14.2x Cortex-A57 @ 2.0 GHz (32-bit mode) 201.8 63.0 3.2x Signed-off-by: -
Ard Biesheuvel authored
Ensure that the input is byte swabbed before injecting it into the SHA3 transform. Use the get_unaligned() accessor for this so that we don't perform unaligned access inadvertently on architectures that do not support that. Cc: <stable@vger.kernel.org> Fixes: 53964b9e ("crypto: sha3 - Add SHA-3 hash algorithm") Signed-off-by:
-
Stephan Mueller authored
GCM can be invoked with a zero destination buffer. This is possible if the AAD and the ciphertext have zero lengths and only the tag exists in the source buffer (i.e. a source buffer cannot be zero). In this case, the GCM cipher only performs the authentication and no decryption operation. When the destination buffer has zero length, it is possible that no page is mapped to the SG pointing to the destination. In this case, sg_page(req->dst) is an invalid access. Therefore, page accesses should only be allowed if the req->dst->length is non-zero which is the indicator that a page must exist. This fixes a crash that can be triggered by user space via AF_ALG. CC: <stable@vger.kernel.org> Signed-off-by:
Stephan Mueller <smueller@chronox.de> Signed-off-by:
-
Corentin LABBE authored
Since CRYPTO_SHA384 does not exists, Kconfig should not select it. Anyway, all SHA384 stuff is in CRYPTO_SHA512 which is already selected. Fixes: a21eb94fi ("crypto: axis - add ARTPEC-6/7 crypto accelerator driver") Signed-off-by:
Corentin Labbe <clabbe.montjoie@gmail.com> Signed-off-by:
-
weiyongjun \(A\) authored
There is a error message within devm_ioremap_resource already, so remove the dev_err call to avoid redundant error message. Signed-off-by:
Wei Yongjun <weiyongjun1@huawei.com> Reviewed-by:
Eric Anholt <eric@anholt.net> Acked-by:
Florian Fainelli <f.fainelli@gmail.com> Signed-off-by:
-
weiyongjun \(A\) authored
There is a error message within devm_ioremap_resource already, so remove the dev_err call to avoid redundant error message. Signed-off-by:
Fabien Dessenne <fabien.dessenne@st.com> Signed-off-by:
-
weiyongjun \(A\) authored
devm_ioremap_resource() already checks if the resource is NULL, so remove the unnecessary platform_get_resource() error check. Signed-off-by:
-
Kamil Konieczny authored
Async hash operations can use result pointer in final/finup/digest, but not in init/update/export/import, so test it for misuse. Signed-off-by:
Kamil Konieczny <k.konieczny@partner.samsung.com> Signed-off-by:
-
Colin Ian King authored
The function safexcel_try_push_requests is local to the source and does not need to be in global scope, so make it static. Cleans up sparse warning: symbol 'safexcel_try_push_requests' was not declared. Should it be static? Signed-off-by:
Colin Ian King <colin.king@canonical.com> [Antoine: fixed alignment] Signed-off-by:
Antoine Tenart <antoine.tenart@free-electrons.com> Signed-off-by:
-
- 20 Jan, 2018 1 commit
-
-
Arnd Bergmann authored
My last bugfix added -Os on the command line, which unfortunately caused a build regression on powerpc in some configurations. I've done some more analysis of the original problem and found slightly different workaround that avoids this regression and also results in better performance on gcc-7.0: -fcode-hoisting is an optimization step that got added in gcc-7 and that for all gcc-7 versions causes worse performance. This disables -fcode-hoisting on all compilers that understand the option. For gcc-7.1 and 7.2 I found the same performance as my previous patch (using -Os), in gcc-7.0 it was even better. On gcc-8 I could see no change in performance from this patch. In theory, code hoisting should not be able make things better for the AES cipher, so leaving it disabled for gcc-8 only serves to simplify the Makefile change. Reported-by:
-
- 19 Jan, 2018 1 commit
-
-
Harsh Jain authored
Fix Warning introduced in changeset e1a018e6 ("crypto: chelsio - Remove dst sg size zero check") Reported-by:
Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by:
Harsh Jain <harsh@chelsio.com> Signed-off-by:
-
- 18 Jan, 2018 18 commits
-
-
Ard Biesheuvel authored
Load the four SHA-1 round constants using immediates rather than literal pool entries, to avoid having executable data that may be exploitable under speculation attacks. Signed-off-by:
-
Ard Biesheuvel authored
Move the SHA2 round constant table to the .rodata section where it is safe from being exploited by speculative execution. Signed-off-by:
-
Ard Biesheuvel authored
Move the CRC-T10DIF literal data to the .rodata section where it is safe from being exploited by speculative execution. Signed-off-by:
-
Ard Biesheuvel authored
Move CRC32 literal data to the .rodata section where it is safe from being exploited by speculative execution. Signed-off-by:
-
Ard Biesheuvel authored
Move the S-boxes and some other literals to the .rodata section where it is safe from being exploited by speculative execution. Signed-off-by:
-
Ard Biesheuvel authored
Move the AES inverse S-box to the .rodata section where it is safe from abuse by speculation. Signed-off-by:
-
Martin Kaiser authored
Use the SIMPLE_DEV_PM_OPS() macro instead of populating a struct dev_pm_ops directly. The suspend and resume functions will now be used for both hibernation and suspend to ram. If power management is disabled, SIMPLE_DEV_PM_OPS() evaluates to nothing, The two functions won't be used and won't be included in the kernel. Mark them as __maybe_unused to clarify that this is intended behaviour. With these modifications in place, we don't need the #ifdefs for power management any more. Signed-off-by:
Martin Kaiser <martin@kaiser.cx> Signed-off-by:
-
Harsh Jain authored
sg_nents_xlen will take care of zero length sg list. Remove Destination sg list size zero check. Signed-off-by:
-
Harsh Jain authored
Add ctr and sha combination of algo in authenc mode. Signed-off-by:
-
Harsh Jain authored
Skip decrypt operation on IV received from HW for last request. Signed-off-by:
-
Harsh Jain authored
Add warning message if sg is NULL after skipping bytes. Reported-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Harsh Jain authored
Fix inconsistent Indenting. Reported-by:
-
Robin Murphy authored
phys_to_dma() is an internal helper for certain DMA API implementations, and is not appropriate for drivers to use. It appears that what the CESA driver really wants to be using is dma_map_resource() - admittedly that didn't exist when the offending code was first merged, but it does now. Signed-off-by:
Robin Murphy <robin.murphy@arm.com> Acked-by:
Boris Brezillon <boris.brezillon@free-electrons.com> Signed-off-by:
-
weiyongjun \(A\) authored
There is a error message within devm_ioremap_resource already, so remove the dev_err call to avoid redundant error message. Signed-off-by:
Krzysztof Kozlowski <krzk@kernel.org> Acked-by:
Łukasz Stelmach <l.stelmach@samsung.com> Signed-off-by:
-
Dan Carpenter authored
"val" needs to be signed for the error handling to work. Fixes: 6cd225cc ("hwrng: exynos - add Samsung Exynos True RNG driver") Signed-off-by:
-
Sean Wang authored
When hw_random device's quality is non-zero, it will automatically fill the kernel's entropy pool at boot. For the purpose, one conservative quality value is being picked up as the default value. Signed-off-by:
Sean Wang <sean.wang@mediatek.com> Signed-off-by:
-
Ard Biesheuvel authored
Implement the SHA-512 using the new special instructions that have been introduced as an optional extension in ARMv8.2. Signed-off-by:
-
Krzysztof Kozlowski authored
Replace GPL license statement with SPDX GPL-2.0 license identifier. Signed-off-by:
-
