1. 28 Sep, 2018 1 commit
  2. 04 Sep, 2018 2 commits
  3. 20 Apr, 2018 1 commit
  4. 30 Mar, 2018 1 commit
    • Herbert Xu's avatar
      crypto: api - Keep failed instances alive · eb02c38f
      Herbert Xu authored
      This patch reverts commit 9c521a20 ("crypto: api - remove
      instance when test failed") and fixes the underlying problem
      in a different way.
      To recap, prior to the reverted commit, an instance that fails
      a self-test is kept around.  However, it would satisfy any new
      lookups against its name and therefore the system may accumlulate
      an unbounded number of failed instances for the same algorithm
      The reverted commit fixed it by unregistering the instance.  Hoever,
      this still does not prevent the creation of the same failed instance
      over and over again each time the name is looked up.
      This patch fixes it by keeping the failed instance around, just as
      we would if it were a normal algorithm.  However, the lookup code
      has been udpated so that we do not attempt to create another
      instance as long as this failed one is still registered.  Of course,
      you could still force a new creation by deleting the instance from
      A new error (ELIBBAD) has been commandeered for this purpose and
      will be returned when all registered algorithm of a given name
      have failed the self-test.
      Signed-off-by: default avatarHerbert Xu <[email protected]>
  5. 05 Jan, 2018 3 commits
    • Eric Biggers's avatar
      crypto: algapi - remove unused notifications · 8b55107c
      Eric Biggers authored
      There is a message posted to the crypto notifier chain when an algorithm
      is unregistered, and when a template is registered or unregistered.  But
      nothing is listening for those messages; currently there are only
      listeners for the algorithm request and registration messages.
      Get rid of these unused notifications for now.
      Signed-off-by: default avatarEric Biggers <[email protected]>
      Signed-off-by: default avatarHerbert Xu <[email protected]>
    • Eric Biggers's avatar
      crypto: algapi - convert cra_refcnt to refcount_t · ce8614a3
      Eric Biggers authored
      Reference counters should use refcount_t rather than atomic_t, since the
      refcount_t implementation can prevent overflows, reducing the
      exploitability of reference leak bugs.  crypto_alg.cra_refcount is a
      reference counter with the usual semantics, so switch it over to
      Signed-off-by: default avatarEric Biggers <[email protected]>
      Signed-off-by: default avatarHerbert Xu <[email protected]>
    • Eric Biggers's avatar
      crypto: algapi - fix NULL dereference in crypto_remove_spawns() · 9a006742
      Eric Biggers authored
      syzkaller triggered a NULL pointer dereference in crypto_remove_spawns()
      via a program that repeatedly and concurrently requests AEADs
      "authenc(cmac(des3_ede-asm),pcbc-aes-aesni)" and hashes "cmac(des3_ede)"
      through AF_ALG, where the hashes are requested as "untested"
      (CRYPTO_ALG_TESTED is set in ->salg_mask but clear in ->salg_feat; this
      causes the template to be instantiated for every request).
      Although AF_ALG users really shouldn't be able to request an "untested"
      algorithm, the NULL pointer dereference is actually caused by a
      longstanding race condition where crypto_remove_spawns() can encounter
      an instance which has had spawn(s) "grabbed" but hasn't yet been
      registered, resulting in ->cra_users still being NULL.
      We probably should properly initialize ->cra_users earlier, but that
      would require updating many templates individually.  For now just fix
      the bug in a simple way that can easily be backported: make
      crypto_remove_spawns() treat a NULL ->cra_users list as empty.
      Reported-by: default avatarsyzbot <[email protected]>
      Cc: [email protected]
      Signed-off-by: default avatarEric Biggers <[email protected]>
      Signed-off-by: default avatarHerbert Xu <[email protected]>
  6. 03 Nov, 2017 1 commit
    • Gilad Ben-Yossef's avatar
      crypto: change transient busy return code to -ENOSPC · 6b80ea38
      Gilad Ben-Yossef authored
      The crypto API was using the -EBUSY return value to indicate
      both a hard failure to submit a crypto operation into a
      transformation provider when the latter was busy and the backlog
      mechanism was not enabled as well as a notification that the
      operation was queued into the backlog when the backlog mechanism
      was enabled.
      Having the same return code indicate two very different conditions
      depending on a flag is both error prone and requires extra runtime
      check like the following to discern between the cases:
      	if (err == -EINPROGRESS ||
      	    (err == -EBUSY && (ahash_request_flags(req) &
      This patch changes the return code used to indicate a crypto op
      failed due to the transformation provider being transiently busy
      to -ENOSPC.
      Signed-off-by: default avatarGilad Ben-Yossef <[email protected]>
      Signed-off-by: default avatarHerbert Xu <[email protected]>
  7. 04 Aug, 2017 1 commit
  8. 19 Jun, 2017 1 commit
  9. 09 Mar, 2017 1 commit
    • Ard Biesheuvel's avatar
      crypto: algapi - annotate expected branch behavior in crypto_inc() · 27c539ae
      Ard Biesheuvel authored
      To prevent unnecessary branching, mark the exit condition of the
      primary loop as likely(), given that a carry in a 32-bit counter
      occurs very rarely.
      On arm64, the resulting code is emitted by GCC as
           9a8:   cmp     w1, #0x3
           9ac:   add     x3, x0, w1, uxtw
           9b0:   b.ls    9e0 <crypto_inc+0x38>
           9b4:   ldr     w2, [x3,#-4]!
           9b8:   rev     w2, w2
           9bc:   add     w2, w2, #0x1
           9c0:   rev     w4, w2
           9c4:   str     w4, [x3]
           9c8:   cbz     w2, 9d0 <crypto_inc+0x28>
           9cc:   ret
      where the two remaining branch conditions (one for size < 4 and one for
      the carry) are statically predicted as non-taken, resulting in optimal
      execution in the vast majority of cases.
      Also, replace the open coded alignment test with IS_ALIGNED().
      Cc: Jason A. Donenfeld <[email protected]>
      Signed-off-by: default avatarArd Biesheuvel <[email protected]>
      Signed-off-by: default avatarHerbert Xu <[email protected]>
  10. 11 Feb, 2017 1 commit
    • Ard Biesheuvel's avatar
      crypto: algapi - make crypto_xor() and crypto_inc() alignment agnostic · db91af0f
      Ard Biesheuvel authored
      Instead of unconditionally forcing 4 byte alignment for all generic
      chaining modes that rely on crypto_xor() or crypto_inc() (which may
      result in unnecessary copying of data when the underlying hardware
      can perform unaligned accesses efficiently), make those functions
      deal with unaligned input explicitly, but only if the Kconfig symbol
      HAVE_EFFICIENT_UNALIGNED_ACCESS is set. This will allow us to drop
      the alignmasks from the CBC, CMAC, CTR, CTS, PCBC and SEQIV drivers.
      For crypto_inc(), this simply involves making the 4-byte stride
      conditional on HAVE_EFFICIENT_UNALIGNED_ACCESS being set, given that
      it typically operates on 16 byte buffers.
      For crypto_xor(), an algorithm is implemented that simply runs through
      the input using the largest strides possible if unaligned accesses are
      allowed. If they are not, an optimal sequence of memory accesses is
      emitted that takes the relative alignment of the input buffers into
      account, e.g., if the relative misalignment of dst and src is 4 bytes,
      the entire xor operation will be completed using 4 byte loads and stores
      (modulo unaligned bits at the start and end). Note that all expressions
      involving misalign are simply eliminated by the compiler when
      Signed-off-by: default avatarArd Biesheuvel <[email protected]>
      Signed-off-by: default avatarHerbert Xu <[email protected]>
  11. 23 Jan, 2017 1 commit
  12. 01 Jul, 2016 1 commit
  13. 25 Jan, 2016 1 commit
  14. 23 Nov, 2015 1 commit
  15. 20 Oct, 2015 1 commit
    • Herbert Xu's avatar
      crypto: api - Only abort operations on fatal signal · 3fc89adb
      Herbert Xu authored
      Currently a number of Crypto API operations may fail when a signal
      occurs.  This causes nasty problems as the caller of those operations
      are often not in a good position to restart the operation.
      In fact there is currently no need for those operations to be
      interrupted by user signals at all.  All we need is for them to
      be killable.
      This patch replaces the relevant calls of signal_pending with
      fatal_signal_pending, and wait_for_completion_interruptible with
      wait_for_completion_killable, respectively.
      Cc: [email protected]
      Signed-off-by: default avatarHerbert Xu <[email protected]>
  16. 14 Jul, 2015 2 commits
  17. 03 Jun, 2015 1 commit
  18. 13 May, 2015 1 commit
    • Herbert Xu's avatar
      crypto: api - Add crypto_grab_spawn primitive · d6ef2f19
      Herbert Xu authored
      This patch adds a new primitive crypto_grab_spawn which is meant
      to replace crypto_init_spawn and crypto_init_spawn2.  Under the
      new scheme the user no longer has to worry about reference counting
      the alg object before it is subsumed by the spawn.
      It is pretty much an exact copy of crypto_grab_aead.
      Prior to calling this function spawn->frontend and spawn->inst
      must have been set.
      Signed-off-by: default avatarHerbert Xu <[email protected]>
  19. 26 Apr, 2015 1 commit
  20. 23 Apr, 2015 2 commits
  21. 21 Apr, 2015 1 commit
  22. 16 Apr, 2015 1 commit
  23. 10 Apr, 2015 2 commits
    • Stephan Mueller's avatar
      crypto: api - remove instance when test failed · 9c521a20
      Stephan Mueller authored
      A cipher instance is added to the list of instances unconditionally
      regardless of whether the associated test failed. However, a failed
      test implies that during another lookup, the cipher instance will
      be added to the list again as it will not be found by the lookup
      That means that the list can be filled up with instances whose tests
      Note: tests only fail in reality in FIPS mode when a cipher is not
      marked as fips_allowed=1. This can be seen with cmac(des3_ede) that does
      not have a fips_allowed=1. When allocating the cipher, the allocation
      fails with -ENOENT due to the missing fips_allowed=1 flag (which
      causes the testmgr to return EINVAL). Yet, the instance of
      cmac(des3_ede) is shown in /proc/crypto. Allocating the cipher again
      fails again, but a 2nd instance is listed in /proc/crypto.
      The patch simply de-registers the instance when the testing failed.
      Signed-off-by: Stephan Mueller's avatarStephan Mueller <[email protected]>
      Signed-off-by: default avatarHerbert Xu <[email protected]>
    • Herbert Xu's avatar
      crypto: api - Move alg ref count init to crypto_check_alg · e9b8e5be
      Herbert Xu authored
      We currently initialise the crypto_alg ref count in the function
      __crypto_register_alg.  As one of the callers of that function
      crypto_register_instance needs to obtain a ref count before it
      calls __crypto_register_alg, we need to move the initialisation
      out of there.
      Since both callers of __crypto_register_alg call crypto_check_alg,
      this is the logical place to perform the initialisation.
      Signed-off-by: default avatarHerbert Xu <[email protected]>
      Acked-by: Stephan Mueller's avatarStephan Mueller <[email protected]>
  24. 03 Apr, 2015 2 commits
  25. 22 Dec, 2014 1 commit
  26. 26 Nov, 2014 1 commit
  27. 03 Jul, 2014 1 commit
  28. 03 Jul, 2013 1 commit
  29. 28 Feb, 2013 1 commit
    • Sasha Levin's avatar
      hlist: drop the node parameter from iterators · b67bfe0d
      Sasha Levin authored
      I'm not sure why, but the hlist for each entry iterators were conceived
              list_for_each_entry(pos, head, member)
      The hlist ones were greedy and wanted an extra parameter:
              hlist_for_each_entry(tpos, pos, head, member)
      Why did they need an extra pos parameter? I'm not quite sure. Not only
      they don't really need it, it also prevents the iterator from looking
      exactly like the list iterator, which is unfortunate.
      Besides the semantic patch, there was some manual work required:
       - Fix up the actual hlist iterators in linux/list.h
       - Fix up the declaration of other iterators based on the hlist ones.
       - A very small amount of places were using the 'node' parameter, this
       was modified to use 'obj->member' instead.
       - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
       properly, so those had to be fixed up manually.
      The semantic patch which is mostly the work of Peter Senna Tschudin is here:
      iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
      type T;
      expression a,c,d,e;
      identifier b;
      statement S;
      -T b;
          <+... when != b
      - b,
      c, d) S
      - b,
      c) S
      - b,
      c) S
      - b,
      c, d) S
      - b,
      c, d) S
      - b,
      c) S
      for_each_busy_worker(a, c,
      - b,
      d) S
      - b,
      c) S
      - b,
      c) S
      - b,
      c) S
      - b,
      c) S
      - b,
      c) S
      - b,
      c) S
      -(a, b)
      + sk_for_each_from(a) S
      - b,
      c, d) S
      - b,
      c) S
      - b,
      c, d, e) S
      - b,
      c) S
      - b,
      c) S
      - b,
      c, d) S
      - b,
      c) S
      - b,
      c, d) S
      - for_each_gfn_sp(a, c, d, b) S
      + for_each_gfn_sp(a, c, d) S
      - for_each_gfn_indirect_valid_sp(a, c, d, b) S
      + for_each_gfn_indirect_valid_sp(a, c, d) S
      - b,
      c) S
      - b,
      c, d) S
      - b,
      c, d) S
      [[email protected]: drop bogus change from net/ipv4/raw.c]
      [[email protected]: drop bogus hunk from net/ipv6/raw.c]
      [[email protected]: checkpatch fixes]
      [[email protected]: fix warnings]
      [[email protected]: redo intrusive kvm changes]
      Tested-by: Peter Senna Tschudin's avatarPeter Senna Tschudin <[email protected]>
      Acked-by: default avatarPaul E. McKenney <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      Cc: Wu Fengguang <[email protected]>
      Cc: Marcelo Tosatti <[email protected]>
      Cc: Gleb Natapov <[email protected]>
      Signed-off-by: default avatarAndrew Morton <[email protected]>
      Signed-off-by: default avatarLinus Torvalds <[email protected]>
  30. 04 Feb, 2013 1 commit
  31. 22 Jun, 2012 1 commit
    • Herbert Xu's avatar
      crypto: algapi - Move larval completion into algboss · 39871037
      Herbert Xu authored
      It has been observed that sometimes the crypto allocation code
      will get stuck for 60 seconds or multiples thereof.  This is
      usually caused by an algorithm failing to pass the self-test.
      If an algorithm fails to be constructed, we will immediately notify
      all larval waiters.  However, if it succeeds in construction, but
      then fails the self-test, we won't notify anyone at all.
      This patch fixes this by merging the notification in the case
      where the algorithm fails to be constructed with that of the
      the case where it pases the self-test.  This way regardless of
      what happens, we'll give the larval waiters an answer.
      Signed-off-by: default avatarHerbert Xu <[email protected]>
  32. 26 Jan, 2012 1 commit
  33. 09 Nov, 2011 1 commit