1 From 7aceaaef04eaaf6019ca159bc354d800559bba1d Mon Sep 17 00:00:00 2001
2 From: Eric Biggers <ebiggers@google.com>
3 Date: Tue, 12 Mar 2019 22:12:45 -0700
4 Subject: crypto: chacha-generic - fix use as arm64 no-NEON fallback
6 From: Eric Biggers <ebiggers@google.com>
8 commit 7aceaaef04eaaf6019ca159bc354d800559bba1d upstream.
10 The arm64 implementations of ChaCha and XChaCha are failing the extra
11 crypto self-tests following my patches to test the !may_use_simd() code
12 paths, which previously were untested. The problem is as follows:
14 When !may_use_simd(), the arm64 NEON implementations fall back to the
15 generic implementation, which uses the skcipher_walk API to iterate
16 through the src/dst scatterlists. Due to how the skcipher_walk API
17 works, walk.stride is set from the skcipher_alg actually being used,
18 which in this case is the arm64 NEON algorithm. Thus walk.stride is
19 5*CHACHA_BLOCK_SIZE, not CHACHA_BLOCK_SIZE.
21 This unnecessarily large stride shouldn't cause an actual problem.
22 However, the generic implementation computes round_down(nbytes,
23 walk.stride). round_down() assumes the round amount is a power of 2,
24 which 5*CHACHA_BLOCK_SIZE is not, so it gives the wrong result.
26 This causes the following case in skcipher_walk_done() to be hit,
27 causing a WARN() and failing the encryption operation:
30 /* unexpected case; didn't process all bytes */
35 Fix it by rounding down to CHACHA_BLOCK_SIZE instead of walk.stride.
37 (Or we could replace round_down() with rounddown(), but that would add a
38 slow division operation every time, which I think we should avoid.)
40 Fixes: 2fe55987b262 ("crypto: arm64/chacha - use combined SIMD/ALU routine for more speed")
41 Cc: <stable@vger.kernel.org> # v5.0+
42 Signed-off-by: Eric Biggers <ebiggers@google.com>
43 Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
44 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
45 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
48 crypto/chacha_generic.c | 2 +-
49 1 file changed, 1 insertion(+), 1 deletion(-)
51 --- a/crypto/chacha_generic.c
52 +++ b/crypto/chacha_generic.c
53 @@ -52,7 +52,7 @@ static int chacha_stream_xor(struct skci
54 unsigned int nbytes = walk.nbytes;
56 if (nbytes < walk.total)
57 - nbytes = round_down(nbytes, walk.stride);
58 + nbytes = round_down(nbytes, CHACHA_BLOCK_SIZE);
60 chacha_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr,
61 nbytes, ctx->nrounds);