releases/5.0.18/crypto-chacha-generic-fix-use-as-arm64-no-neon-fallback.patch

   1 From 7aceaaef04eaaf6019ca159bc354d800559bba1d Mon Sep 17 00:00:00 2001
   2 From: Eric Biggers <ebiggers@google.com>
   3 Date: Tue, 12 Mar 2019 22:12:45 -0700
   4 Subject: crypto: chacha-generic - fix use as arm64 no-NEON fallback
   5
   6 From: Eric Biggers <ebiggers@google.com>
   7
   8 commit 7aceaaef04eaaf6019ca159bc354d800559bba1d upstream.
   9
  10 The arm64 implementations of ChaCha and XChaCha are failing the extra
  11 crypto self-tests following my patches to test the !may_use_simd() code
  12 paths, which previously were untested.  The problem is as follows:
  13
  14 When !may_use_simd(), the arm64 NEON implementations fall back to the
  15 generic implementation, which uses the skcipher_walk API to iterate
  16 through the src/dst scatterlists.  Due to how the skcipher_walk API
  17 works, walk.stride is set from the skcipher_alg actually being used,
  18 which in this case is the arm64 NEON algorithm.  Thus walk.stride is
  19 5*CHACHA_BLOCK_SIZE, not CHACHA_BLOCK_SIZE.
  20
  21 This unnecessarily large stride shouldn't cause an actual problem.
  22 However, the generic implementation computes round_down(nbytes,
  23 walk.stride).  round_down() assumes the round amount is a power of 2,
  24 which 5*CHACHA_BLOCK_SIZE is not, so it gives the wrong result.
  25
  26 This causes the following case in skcipher_walk_done() to be hit,
  27 causing a WARN() and failing the encryption operation:
  28
  29         if (WARN_ON(err)) {
  30                 /* unexpected case; didn't process all bytes */
  31                 err = -EINVAL;
  32                 goto finish;
  33         }
  34
  35 Fix it by rounding down to CHACHA_BLOCK_SIZE instead of walk.stride.
  36
  37 (Or we could replace round_down() with rounddown(), but that would add a
  38 slow division operation every time, which I think we should avoid.)
  39
  40 Fixes: 2fe55987b262 ("crypto: arm64/chacha - use combined SIMD/ALU routine for more speed")
  41 Cc: <stable@vger.kernel.org> # v5.0+
  42 Signed-off-by: Eric Biggers <ebiggers@google.com>
  43 Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
  44 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  45 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  46
  47 ---
  48  crypto/chacha_generic.c |    2 +-
  49  1 file changed, 1 insertion(+), 1 deletion(-)
  50
  51 --- a/crypto/chacha_generic.c
  52 +++ b/crypto/chacha_generic.c
  53 @@ -52,7 +52,7 @@ static int chacha_stream_xor(struct skci
  54                 unsigned int nbytes = walk.nbytes;
  55
  56                 if (nbytes < walk.total)
  57 -                       nbytes = round_down(nbytes, walk.stride);
  58 +                       nbytes = round_down(nbytes, CHACHA_BLOCK_SIZE);
  59
  60                 chacha_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr,
  61                                nbytes, ctx->nrounds);