1. 24 Apr, 2017 1 commit
  2. 21 Apr, 2017 1 commit
  3. 10 Apr, 2017 1 commit
    • Herbert Xu's avatar
      crypto: ahash - Fix EINPROGRESS notification callback · ef0579b6
      Herbert Xu authored
      The ahash API modifies the request's callback function in order
      to clean up after itself in some corner cases (unaligned final
      and missing finup).
      
      When the request is complete ahash will restore the original
      callback and everything is fine.  However, when the request gets
      an EBUSY on a full queue, an EINPROGRESS callback is made while
      the request is still ongoing.
      
      In this case the ahash API will incorrectly call its own callback.
      
      This patch fixes the problem by creating a temporary request
      object on the stack which is used to relay EINPROGRESS back to
      the original completion function.
      
      This patch also adds code to preserve the original flags value.
      
      Fixes: ab6bf4e5 ("crypto: hash - Fix the pointer voodoo in...")
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Tested-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      ef0579b6
  4. 05 Apr, 2017 2 commits
  5. 04 Apr, 2017 2 commits
  6. 03 Apr, 2017 1 commit
    • Mat Martineau's avatar
      KEYS: Split role of the keyring pointer for keyring restrict functions · aaf66c88
      Mat Martineau authored
      The first argument to the restrict_link_func_t functions was a keyring
      pointer. These functions are called by the key subsystem with this
      argument set to the destination keyring, but restrict_link_by_signature
      expects a pointer to the relevant trusted keyring.
      
      Restrict functions may need something other than a single struct key
      pointer to allow or reject key linkage, so the data used to make that
      decision (such as the trust keyring) is moved to a new, fourth
      argument. The first argument is now always the destination keyring.
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      aaf66c88
  7. 10 Mar, 2017 1 commit
    • David Howells's avatar
      net: Work around lockdep limitation in sockets that use sockets · cdfbabfb
      David Howells authored
      Lockdep issues a circular dependency warning when AFS issues an operation
      through AF_RXRPC from a context in which the VFS/VM holds the mmap_sem.
      
      The theory lockdep comes up with is as follows:
      
       (1) If the pagefault handler decides it needs to read pages from AFS, it
           calls AFS with mmap_sem held and AFS begins an AF_RXRPC call, but
           creating a call requires the socket lock:
      
      	mmap_sem must be taken before sk_lock-AF_RXRPC
      
       (2) afs_open_socket() opens an AF_RXRPC socket and binds it.  rxrpc_bind()
           binds the underlying UDP socket whilst holding its socket lock.
           inet_bind() takes its own socket lock:
      
      	sk_lock-AF_RXRPC must be taken before sk_lock-AF_INET
      
       (3) Reading from a TCP socket into a userspace buffer might cause a fault
           and thus cause the kernel to take the mmap_sem, but the TCP socket is
           locked whilst doing this:
      
      	sk_lock-AF_INET must be taken before mmap_sem
      
      However, lockdep's theory is wrong in this instance because it deals only
      with lock classes and not individual locks.  The AF_INET lock in (2) isn't
      really equivalent to the AF_INET lock in (3) as the former deals with a
      socket entirely internal to the kernel that never sees userspace.  This is
      a limitation in the design of lockdep.
      
      Fix the general case by:
      
       (1) Double up all the locking keys used in sockets so that one set are
           used if the socket is created by userspace and the other set is used
           if the socket is created by the kernel.
      
       (2) Store the kern parameter passed to sk_alloc() in a variable in the
           sock struct (sk_kern_sock).  This informs sock_lock_init(),
           sock_init_data() and sk_clone_lock() as to the lock keys to be used.
      
           Note that the child created by sk_clone_lock() inherits the parent's
           kern setting.
      
       (3) Add a 'kern' parameter to ->accept() that is analogous to the one
           passed in to ->create() that distinguishes whether kernel_accept() or
           sys_accept4() was the caller and can be passed to sk_alloc().
      
           Note that a lot of accept functions merely dequeue an already
           allocated socket.  I haven't touched these as the new socket already
           exists before we get the parameter.
      
           Note also that there are a couple of places where I've made the accepted
           socket unconditionally kernel-based:
      
      	irda_accept()
      	rds_rcp_accept_one()
      	tcp_accept_from_sock()
      
           because they follow a sock_create_kern() and accept off of that.
      
      Whilst creating this, I noticed that lustre and ocfs don't create sockets
      through sock_create_kern() and thus they aren't marked as for-kernel,
      though they appear to be internal.  I wonder if these should do that so
      that they use the new set of lock keys.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cdfbabfb
  8. 09 Mar, 2017 3 commits
  9. 27 Feb, 2017 1 commit
  10. 11 Feb, 2017 1 commit
    • Ard Biesheuvel's avatar
      crypto: algapi - make crypto_xor() and crypto_inc() alignment agnostic · db91af0f
      Ard Biesheuvel authored
      Instead of unconditionally forcing 4 byte alignment for all generic
      chaining modes that rely on crypto_xor() or crypto_inc() (which may
      result in unnecessary copying of data when the underlying hardware
      can perform unaligned accesses efficiently), make those functions
      deal with unaligned input explicitly, but only if the Kconfig symbol
      HAVE_EFFICIENT_UNALIGNED_ACCESS is set. This will allow us to drop
      the alignmasks from the CBC, CMAC, CTR, CTS, PCBC and SEQIV drivers.
      
      For crypto_inc(), this simply involves making the 4-byte stride
      conditional on HAVE_EFFICIENT_UNALIGNED_ACCESS being set, given that
      it typically operates on 16 byte buffers.
      
      For crypto_xor(), an algorithm is implemented that simply runs through
      the input using the largest strides possible if unaligned accesses are
      allowed. If they are not, an optimal sequence of memory accesses is
      emitted that takes the relative alignment of the input buffers into
      account, e.g., if the relative misalignment of dst and src is 4 bytes,
      the entire xor operation will be completed using 4 byte loads and stores
      (modulo unaligned bits at the start and end). Note that all expressions
      involving misalign are simply eliminated by the compiler when
      HAVE_EFFICIENT_UNALIGNED_ACCESS is defined.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      db91af0f
  11. 03 Feb, 2017 1 commit
  12. 30 Dec, 2016 1 commit
    • Ard Biesheuvel's avatar
      crypto: skcipher - introduce walksize attribute for SIMD algos · c821f6ab
      Ard Biesheuvel authored
      In some cases, SIMD algorithms can only perform optimally when
      allowed to operate on multiple input blocks in parallel. This is
      especially true for bit slicing algorithms, which typically take
      the same amount of time processing a single block or 8 blocks in
      parallel. However, other SIMD algorithms may benefit as well from
      bigger strides.
      
      So add a walksize attribute to the skcipher algorithm definition, and
      wire it up to the skcipher walk API. To avoid confusion between the
      skcipher and AEAD attributes, rename the skcipher_walk chunksize
      attribute to 'stride', and set it from the walksize (in the skcipher
      case) or from the chunksize (in the AEAD case).
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c821f6ab
  13. 27 Dec, 2016 1 commit
  14. 13 Dec, 2016 3 commits
  15. 01 Dec, 2016 1 commit
  16. 30 Nov, 2016 1 commit
    • Stephan Mueller's avatar
      crypto: drbg - prevent invalid SG mappings · 51029812
      Stephan Mueller authored
      When using SGs, only heap memory (memory that is valid as per
      virt_addr_valid) is allowed to be referenced. The CTR DRBG used to
      reference the caller-provided memory directly in an SG. In case the
      caller provided stack memory pointers, the SG mapping is not considered
      to be valid. In some cases, this would even cause a paging fault.
      
      The change adds a new scratch buffer that is used unconditionally to
      catch the cases where the caller-provided buffer is not suitable for
      use in an SG. The crypto operation of the CTR DRBG produces its output
      with that scratch buffer and finally copies the content of the
      scratch buffer to the caller's buffer.
      
      The scratch buffer is allocated during allocation time of the CTR DRBG
      as its access is protected with the DRBG mutex.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      51029812
  17. 28 Nov, 2016 5 commits
  18. 17 Nov, 2016 1 commit
  19. 13 Nov, 2016 1 commit
  20. 01 Nov, 2016 2 commits
  21. 25 Oct, 2016 3 commits
  22. 21 Oct, 2016 1 commit
  23. 02 Oct, 2016 1 commit
  24. 07 Sep, 2016 2 commits
  25. 19 Jul, 2016 1 commit
  26. 18 Jul, 2016 1 commit