Re: [dm-devel] Deadlock when using crypto API for block devices
On 08/24/18 09:22 PM, Herbert Xu wrote: > > > BTW. gcmaes_crypt_by_sg also contains GFP_ATOMIC and -ENOMEM, behind a > > > pretty complex condition. Do you mean that this condition is part of the > > > contract that the crypto API provides? > > > > This is an implementation defect. I think for this case we should > > fall back to software GCM if the accelerated version fails. > > > > > Should "req->src->offset + req->src->length < PAGE_SIZE" use "<=" > > > instead? > > > Because if the data ends up at page boundary, it will use the atomic > > > allocation that can fail. > > > > This condition does look strange. It's introduced by the commit > > e845520707f85c539ce04bb73c6070e9441480be. Dave, what exactly is > > it meant to do? The aesni routines still require linear AAD data, the condition checks that the AAD data is linear, and if not, kmallocs and copies it to a linear buffer. Yes, the condition looks like it could be <= PAGE_SIZE, similar to the one in gcmaes_encrypt. Yes, we should fall back to software gcm if kmalloc fails, although AAD data is usually small, and it is probably worth having a small stack buffer before attempting to kmalloc. -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
Re: [dm-devel] Deadlock when using crypto API for block devices
On Fri, Aug 24, 2018 at 09:21:45PM +0800, Herbert Xu wrote: > On Fri, Aug 24, 2018 at 09:00:00AM -0400, Mikulas Patocka wrote: > > > > BTW. gcmaes_crypt_by_sg also contains GFP_ATOMIC and -ENOMEM, behind a > > pretty complex condition. Do you mean that this condition is part of the > > contract that the crypto API provides? > > This is an implementation defect. I think for this case we should > fall back to software GCM if the accelerated version fails. > > > Should "req->src->offset + req->src->length < PAGE_SIZE" use "<=" instead? > > Because if the data ends up at page boundary, it will use the atomic > > allocation that can fail. > > This condition does look strange. It's introduced by the commit > e845520707f85c539ce04bb73c6070e9441480be. Dave, what exactly is > it meant to do? I forgot to Cc Dave Watson. Thanks, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
Re: [dm-devel] Deadlock when using crypto API for block devices
On Fri, Aug 24, 2018 at 09:00:00AM -0400, Mikulas Patocka wrote: > > BTW. gcmaes_crypt_by_sg also contains GFP_ATOMIC and -ENOMEM, behind a > pretty complex condition. Do you mean that this condition is part of the > contract that the crypto API provides? This is an implementation defect. I think for this case we should fall back to software GCM if the accelerated version fails. > Should "req->src->offset + req->src->length < PAGE_SIZE" use "<=" instead? > Because if the data ends up at page boundary, it will use the atomic > allocation that can fail. This condition does look strange. It's introduced by the commit e845520707f85c539ce04bb73c6070e9441480be. Dave, what exactly is it meant to do? Thanks, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
Re: [dm-devel] Deadlock when using crypto API for block devices
On Fri, 24 Aug 2018, Mikulas Patocka wrote: > > > On Fri, 24 Aug 2018, Herbert Xu wrote: > > > On Fri, Aug 24, 2018 at 07:06:32AM -0400, Mikulas Patocka wrote: > > > > > > A quick search through the crypto code shows that ahash_save_req and > > > seqiv_aead_encrypt return -ENOMEM. > > > > > > Will you fix them? > > > > These only trigger for unaligned buffers. It would be much better > > if dm-crypt can ensure that the input/output is properly unaligned > > and if otherwise do the allocation in dm-crypt. > > But we are relying here on an implementation detail and not on contract. > > Mikulas BTW. gcmaes_crypt_by_sg also contains GFP_ATOMIC and -ENOMEM, behind a pretty complex condition. Do you mean that this condition is part of the contract that the crypto API provides? Should "req->src->offset + req->src->length < PAGE_SIZE" use "<=" instead? Because if the data ends up at page boundary, it will use the atomic allocation that can fail. Mikulas -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
Re: [dm-devel] Deadlock when using crypto API for block devices
On Fri, 24 Aug 2018, Herbert Xu wrote: > On Fri, Aug 24, 2018 at 07:06:32AM -0400, Mikulas Patocka wrote: > > > > A quick search through the crypto code shows that ahash_save_req and > > seqiv_aead_encrypt return -ENOMEM. > > > > Will you fix them? > > These only trigger for unaligned buffers. It would be much better > if dm-crypt can ensure that the input/output is properly unaligned > and if otherwise do the allocation in dm-crypt. But we are relying here on an implementation detail and not on contract. Mikulas -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
Re: [dm-devel] Deadlock when using crypto API for block devices
On Fri, Aug 24, 2018 at 07:22:19AM -0400, Mikulas Patocka wrote: > > And also ablkcipher_next_slow, ablkcipher_copy_iv, skcipher_next_slow, > skcipher_next_copy, skcipher_copy_iv, blkcipher_next_slow, > blkcipher_copy_iv. > > So, I think that dropping CRYPTO_TFM_REQ_MAY_SLEEP is not possible. These should never trigger for dm-crypt AFAICS since it only happens if you provide unaligned input/output. Cheers, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
Re: [dm-devel] Deadlock when using crypto API for block devices
On Fri, 24 Aug 2018, Mikulas Patocka wrote: > > > On Fri, 24 Aug 2018, Herbert Xu wrote: > > > On Thu, Aug 23, 2018 at 04:39:23PM -0400, Mikulas Patocka wrote: > > > > > > 1. don't set CRYPTO_TFM_REQ_MAY_SLEEP in dm-crypt > > > = > > > If we don't set it, dm-crypt will use GFP_ATOMIC and GFP_ATOMIC may fail. > > > The function init_crypt in xts.c handles the failure gracefully - but the > > > question is - does the whole crypto code handle allocation failures > > > gracefully? If not and if it returns -ENOMEM somewhere, it would result > > > in > > > I/O errors and data corruption. > > > > It is safe to use GFP_ATOMIC. First of the allocation is really > > small (less than a page) so it will only fail when the system is > > almost completely out of memory. > > GFP_ATOMIC is used by networking code. If the system is in a situation > when packets arrive faster than the swapper is able to swap, it will > happen. It does happen during netwoking surge and corrupting the > filesystem in tris situation is not acceptable. > > > Even when it does fail the crypto > > operation will still succeed, albeit it will process things at a > > smaller granularity so the performance will degrade. > > A quick search through the crypto code shows that ahash_save_req and > seqiv_aead_encrypt return -ENOMEM. > > Will you fix them? And also ablkcipher_next_slow, ablkcipher_copy_iv, skcipher_next_slow, skcipher_next_copy, skcipher_copy_iv, blkcipher_next_slow, blkcipher_copy_iv. So, I think that dropping CRYPTO_TFM_REQ_MAY_SLEEP is not possible. Mikulas -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
Re: [dm-devel] Deadlock when using crypto API for block devices
On Fri, 24 Aug 2018, Herbert Xu wrote: > On Thu, Aug 23, 2018 at 04:39:23PM -0400, Mikulas Patocka wrote: > > > > 1. don't set CRYPTO_TFM_REQ_MAY_SLEEP in dm-crypt > > = > > If we don't set it, dm-crypt will use GFP_ATOMIC and GFP_ATOMIC may fail. > > The function init_crypt in xts.c handles the failure gracefully - but the > > question is - does the whole crypto code handle allocation failures > > gracefully? If not and if it returns -ENOMEM somewhere, it would result in > > I/O errors and data corruption. > > It is safe to use GFP_ATOMIC. First of the allocation is really > small (less than a page) so it will only fail when the system is > almost completely out of memory. GFP_ATOMIC is used by networking code. If the system is in a situation when packets arrive faster than the swapper is able to swap, it will happen. It does happen during netwoking surge and corrupting the filesystem in tris situation is not acceptable. > Even when it does fail the crypto > operation will still succeed, albeit it will process things at a > smaller granularity so the performance will degrade. A quick search through the crypto code shows that ahash_save_req and seqiv_aead_encrypt return -ENOMEM. Will you fix them? > The sleeping part of that flag is also not an issue because it > only kicks in once per page. As this is going to be less than > or equal to a page it shouldn't matter. > > > 3. introduce new flag CRYPTO_TFM_REQ_MAY_SLEEP_NOIO > > === > > Would you like to introduce it? > > For now I don't think this is necessary given that this allocation > and similar ones in lrw and other places in the crypto API are just > performance enhancements and unlikely to fail except in very dire > situations. > > But if new problems arise I'm certainly not opposed to this. > > Thanks, > -- > Email: Herbert Xu > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt Mikulas -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
Re: [dm-devel] Deadlock when using crypto API for block devices
On Thu, Aug 23, 2018 at 04:39:23PM -0400, Mikulas Patocka wrote: > > 1. don't set CRYPTO_TFM_REQ_MAY_SLEEP in dm-crypt > = > If we don't set it, dm-crypt will use GFP_ATOMIC and GFP_ATOMIC may fail. > The function init_crypt in xts.c handles the failure gracefully - but the > question is - does the whole crypto code handle allocation failures > gracefully? If not and if it returns -ENOMEM somewhere, it would result in > I/O errors and data corruption. It is safe to use GFP_ATOMIC. First of the allocation is really small (less than a page) so it will only fail when the system is almost completely out of memory. Even when it does fail the crypto operation will still succeed, albeit it will process things at a smaller granularity so the performance will degrade. The sleeping part of that flag is also not an issue because it only kicks in once per page. As this is going to be less than or equal to a page it shouldn't matter. > 3. introduce new flag CRYPTO_TFM_REQ_MAY_SLEEP_NOIO > === > Would you like to introduce it? For now I don't think this is necessary given that this allocation and similar ones in lrw and other places in the crypto API are just performance enhancements and unlikely to fail except in very dire situations. But if new problems arise I'm certainly not opposed to this. Thanks, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel