lib/crypto: x86/blake2s: Avoid writing back unchanged 'f' value

Just before returning, blake2s_compress_ssse3() and
blake2s_compress_avx512() store updated values to the 'h', 't', and 'f'
fields of struct blake2s_ctx.  But 'f' is always unchanged (which is
correct; only the C code changes it).  So, there's no need to write to
'f'.  Use 64-bit stores (movq and vmovq) instead of 128-bit stores
(movdqu and vmovdqu) so that only 't' is written.

Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20251102234209.62133-6-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>

diff --git a/lib/crypto/x86/blake2s-core.S b/lib/crypto/x86/blake2s-core.S
index f805a49c590d5aadaf062f5744f6ac26a26d19d6..869064f6ac16e27602c3ec1035e06707655ccf02 100644 (file)
--- a/lib/crypto/x86/blake2s-core.S
+++ b/lib/crypto/x86/blake2s-core.S
@@ -193,7 +193,7 @@ SYM_FUNC_START(blake2s_compress_ssse3)
 
        movdqu          %xmm0,(CTX)             // Store new h[0..3]
        movdqu          %xmm1,16(CTX)           // Store new h[4..7]
-       movdqu          %xmm14,32(CTX)          // Store new t and f
+       movq            %xmm14,32(CTX)          // Store new t (f is unchanged)
        RET
 SYM_FUNC_END(blake2s_compress_ssse3)
 
@@ -287,7 +287,7 @@ SYM_FUNC_START(blake2s_compress_avx512)
 
        vmovdqu         %xmm0,(CTX)             // Store new h[0..3]
        vmovdqu         %xmm1,16(CTX)           // Store new h[4..7]
-       vmovdqu         %xmm4,32(CTX)           // Store new t and f
+       vmovq           %xmm4,32(CTX)           // Store new t (f is unchanged)
        vzeroupper
        RET
 SYM_FUNC_END(blake2s_compress_avx512)