Re: [RFC 01/10] crypto: factor async completion for general use

2017-05-11 Thread Gilad Ben-Yossef 
On Thu, May 11, 2017 at 11:09 AM, Eric Biggers  wrote:
> On Thu, May 11, 2017 at 10:29:47AM +0300, Gilad Ben-Yossef wrote:
>> > With regards to the wait being uninterruptible, I agree that this should 
>> > be the
>> > default behavior, because I think users waiting for specific crypto 
>> > requests are
>> > generally not prepared to handle the wait actually being interrupted.  
>> > After
>> > interruption the crypto operation will still proceed in the background, 
>> > and it
>> > will use buffers which the caller has in many cases already freed.  
>> > However, I'd
>> > suggest taking a close look at anything that was actually doing an 
>> > interruptible
>> > wait before, to see whether it was a bug or intentional (or "doesn't 
>> > matter").
>> >
>> > And yes there could always be a crypto_wait_req_interruptible() introduced 
>> > if
>> > some users need it.
>>
>> So this one was a bit of a shocker.  I though the  _interruptible use
>> sites seemed
>> wrong in the sense of being needless. However, after reading your feedback 
>> and
>> reviewing the code I'm pretty sure every single one of them (including
>> the one I've
>> added in dm-verity-target.c this merge window)  are down right dangerous and
>> can cause random data corruption... so thanks for pointing this out!
>>
>> I though of this patch set as a "make the code pretty" for 4.13 kind
>> of patch set.
>> Looks like it's a bug fix now, maybe even stable material.
>>
>> Anyway, I'll roll a v2 and we'll see.
>>
>
> Any that are called only by kernel threads would theoretically be safe since
> kernel threads don't ordinarily receive signals.  But I think that at least 
> the
> drbg and gcm waits can be reached by user threads, since they can be called 
> via
> algif_rng and algif_aead respectively.
>
> I recommend putting any important fixes first, so they can be backported 
> without
> depending on crypto_wait_req().
>

OK, I'll send out a separate bug fix series first and rebase the
crypto_wait one on top
of it then.

Thanks,
Gilad

-- 
Gilad Ben-Yossef
Chief Coffee Drinker

"If you take a class in large-scale robotics, can you end up in a
situation where the homework eats your dog?"
 -- Jean-Baptiste Queru
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC 01/10] crypto: factor async completion for general use

2017-05-11 Thread Eric Biggers 
On Thu, May 11, 2017 at 10:29:47AM +0300, Gilad Ben-Yossef wrote:
> > With regards to the wait being uninterruptible, I agree that this should be 
> > the
> > default behavior, because I think users waiting for specific crypto 
> > requests are
> > generally not prepared to handle the wait actually being interrupted.  After
> > interruption the crypto operation will still proceed in the background, and 
> > it
> > will use buffers which the caller has in many cases already freed.  
> > However, I'd
> > suggest taking a close look at anything that was actually doing an 
> > interruptible
> > wait before, to see whether it was a bug or intentional (or "doesn't 
> > matter").
> >
> > And yes there could always be a crypto_wait_req_interruptible() introduced 
> > if
> > some users need it.
> 
> So this one was a bit of a shocker.  I though the  _interruptible use
> sites seemed
> wrong in the sense of being needless. However, after reading your feedback and
> reviewing the code I'm pretty sure every single one of them (including
> the one I've
> added in dm-verity-target.c this merge window)  are down right dangerous and
> can cause random data corruption... so thanks for pointing this out!
> 
> I though of this patch set as a "make the code pretty" for 4.13 kind
> of patch set.
> Looks like it's a bug fix now, maybe even stable material.
> 
> Anyway, I'll roll a v2 and we'll see.
> 

Any that are called only by kernel threads would theoretically be safe since
kernel threads don't ordinarily receive signals.  But I think that at least the
drbg and gcm waits can be reached by user threads, since they can be called via
algif_rng and algif_aead respectively.

I recommend putting any important fixes first, so they can be backported without
depending on crypto_wait_req().

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC 01/10] crypto: factor async completion for general use

2017-05-11 Thread Gilad Ben-Yossef 
Hi Eric,

On Thu, May 11, 2017 at 6:55 AM, Eric Biggers  wrote:
> Hi Gilad,
>
> On Sat, May 06, 2017 at 03:59:50PM +0300, Gilad Ben-Yossef wrote:
>> Invoking a possibly async. crypto op and waiting for completion
>> while correctly handling backlog processing is a common task
>> in the crypto API implementation and outside users of it.
>>
>> This patch re-factors one of the in crypto API implementation in
>> preparation for using it across the board instead of hand
>> rolled versions.
>
> Thanks for doing this!  It annoyed me too that there wasn't a helper function
> for this.  Just a few comments below:
>

Thank you for the review.
I will incorporate the feedback into v2.

...

> With regards to the wait being uninterruptible, I agree that this should be 
> the
> default behavior, because I think users waiting for specific crypto requests 
> are
> generally not prepared to handle the wait actually being interrupted.  After
> interruption the crypto operation will still proceed in the background, and it
> will use buffers which the caller has in many cases already freed.  However, 
> I'd
> suggest taking a close look at anything that was actually doing an 
> interruptible
> wait before, to see whether it was a bug or intentional (or "doesn't matter").
>
> And yes there could always be a crypto_wait_req_interruptible() introduced if
> some users need it.

So this one was a bit of a shocker.  I though the  _interruptible use
sites seemed
wrong in the sense of being needless. However, after reading your feedback and
reviewing the code I'm pretty sure every single one of them (including
the one I've
added in dm-verity-target.c this merge window)  are down right dangerous and
can cause random data corruption... so thanks for pointing this out!

I though of this patch set as a "make the code pretty" for 4.13 kind
of patch set.
Looks like it's a bug fix now, maybe even stable material.

Anyway, I'll roll a v2 and we'll see.

Thanks,
Gilad

-- 
Gilad Ben-Yossef
Chief Coffee Drinker

"If you take a class in large-scale robotics, can you end up in a
situation where the homework eats your dog?"
 -- Jean-Baptiste Queru
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC 01/10] crypto: factor async completion for general use

2017-05-10 Thread Eric Biggers 
Hi Gilad,

On Sat, May 06, 2017 at 03:59:50PM +0300, Gilad Ben-Yossef wrote:
> Invoking a possibly async. crypto op and waiting for completion
> while correctly handling backlog processing is a common task
> in the crypto API implementation and outside users of it.
> 
> This patch re-factors one of the in crypto API implementation in
> preparation for using it across the board instead of hand
> rolled versions.

Thanks for doing this!  It annoyed me too that there wasn't a helper function
for this.  Just a few comments below:

> diff --git a/crypto/af_alg.c b/crypto/af_alg.c
> index 3556d8e..bf4acaf 100644
> --- a/crypto/af_alg.c
> +++ b/crypto/af_alg.c
> @@ -480,33 +480,6 @@ int af_alg_cmsg_send(struct msghdr *msg, struct 
> af_alg_control *con)
>  }
>  EXPORT_SYMBOL_GPL(af_alg_cmsg_send);
>  
> -int af_alg_wait_for_completion(int err, struct af_alg_completion *completion)
> -{
> - switch (err) {
> - case -EINPROGRESS:
> - case -EBUSY:
> - wait_for_completion(>completion);
> - reinit_completion(>completion);
> - err = completion->err;
> - break;
> - };
> -
> - return err;
> -}
> -EXPORT_SYMBOL_GPL(af_alg_wait_for_completion);
> -
> -void af_alg_complete(struct crypto_async_request *req, int err)
> -{
> - struct af_alg_completion *completion = req->data;
> -
> - if (err == -EINPROGRESS)
> - return;
> -
> - completion->err = err;
> - complete(>completion);
> -}
> -EXPORT_SYMBOL_GPL(af_alg_complete);
> -

I think it would be cleaner to switch af_alg and algif_* over to the new
interface in its own patch, rather than in the same patch that introduces the
new interface.

> @@ -88,8 +88,8 @@ static int hash_sendmsg(struct socket *sock, struct msghdr 
> *msg,
>   if ((msg->msg_flags & MSG_MORE))
>   hash_free_result(sk, ctx);
>  
> - err = af_alg_wait_for_completion(crypto_ahash_init(>req),
> - >completion);
> + err = crypto_wait_req(crypto_ahash_init(>req),
> + >wait);
>   if (err)
>   goto unlock;
>   }

In general can you try to keep the argument lists indented sanely?  (This
applies throughout the patch series.)  e.g. here I'd have expected:

err = crypto_wait_req(crypto_ahash_init(>req),
  >wait);

>  
> diff --git a/crypto/api.c b/crypto/api.c
> index 941cd4c..1c6e9cd 100644
> --- a/crypto/api.c
> +++ b/crypto/api.c
> @@ -24,6 +24,7 @@
>  #include 
>  #include 
>  #include 
> +#include 
>  #include "internal.h"
>  
>  LIST_HEAD(crypto_alg_list);
> @@ -595,5 +596,32 @@ int crypto_has_alg(const char *name, u32 type, u32 mask)
>  }
>  EXPORT_SYMBOL_GPL(crypto_has_alg);
>  
> +int crypto_wait_req(int err, struct crypto_wait *wait)
> +{
> + switch (err) {
> + case -EINPROGRESS:
> + case -EBUSY:
> + wait_for_completion(>completion);
> + reinit_completion(>completion);
> + err = wait->err;
> + break;
> + };
> +
> + return err;
> +}
> +EXPORT_SYMBOL_GPL(crypto_wait_req);

crypto_wait_req() maybe should be inlined, since it doesn't do much (note that
reinit_completion is actually just a variable assignment), and the common case
is that 'err' will be 0, so there will be nothing to wait for.

Also drop the unnecessary semicolon at the end of the switch block.

With regards to the wait being uninterruptible, I agree that this should be the
default behavior, because I think users waiting for specific crypto requests are
generally not prepared to handle the wait actually being interrupted.  After
interruption the crypto operation will still proceed in the background, and it
will use buffers which the caller has in many cases already freed.  However, I'd
suggest taking a close look at anything that was actually doing an interruptible
wait before, to see whether it was a bug or intentional (or "doesn't matter").

And yes there could always be a crypto_wait_req_interruptible() introduced if
some users need it.

>  
>  #define CRYPTO_MINALIGN_ATTR __attribute__ ((__aligned__(CRYPTO_MINALIGN)))
>  
> +/*
> + * Macro for declaring a crypto op async wait object on stack
> + */
> +#define DECLARE_CRYPTO_WAIT(_wait) \
> + struct crypto_wait _wait = { \
> + COMPLETION_INITIALIZER_ONSTACK((_wait).completion), 0 }
> +

Move this definition down below, so it's next to crypto_wait?

>  
>  /*
>   * Algorithm registration interface.
>   */
> @@ -1604,5 +1631,6 @@ static inline int crypto_comp_decompress(struct 
> crypto_comp *tfm,
>   src, slen, dst, dlen);
>  }
>  
> +

Don't add unrelated blank lines.

- Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majord...@vger.kernel.org
More majordomo info at

[RFC 01/10] crypto: factor async completion for general use

2017-05-06 Thread Gilad Ben-Yossef 
Invoking a possibly async. crypto op and waiting for completion
while correctly handling backlog processing is a common task
in the crypto API implementation and outside users of it.

This patch re-factors one of the in crypto API implementation in
preparation for using it across the board instead of hand
rolled versions.

Signed-off-by: Gilad Ben-Yossef 
---
 crypto/af_alg.c | 27 ---
 crypto/algif_aead.c | 14 +++---
 crypto/algif_hash.c | 30 +++---
 crypto/algif_skcipher.c | 10 +-
 crypto/api.c| 28 
 include/crypto/if_alg.h | 14 --
 include/linux/crypto.h  | 28 
 7 files changed, 83 insertions(+), 68 deletions(-)

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 3556d8e..bf4acaf 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -480,33 +480,6 @@ int af_alg_cmsg_send(struct msghdr *msg, struct 
af_alg_control *con)
 }
 EXPORT_SYMBOL_GPL(af_alg_cmsg_send);
 
-int af_alg_wait_for_completion(int err, struct af_alg_completion *completion)
-{
-   switch (err) {
-   case -EINPROGRESS:
-   case -EBUSY:
-   wait_for_completion(>completion);
-   reinit_completion(>completion);
-   err = completion->err;
-   break;
-   };
-
-   return err;
-}
-EXPORT_SYMBOL_GPL(af_alg_wait_for_completion);
-
-void af_alg_complete(struct crypto_async_request *req, int err)
-{
-   struct af_alg_completion *completion = req->data;
-
-   if (err == -EINPROGRESS)
-   return;
-
-   completion->err = err;
-   complete(>completion);
-}
-EXPORT_SYMBOL_GPL(af_alg_complete);
-
 static int __init af_alg_init(void)
 {
int err = proto_register(_proto, 0);
diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
index 8af664f..9543589 100644
--- a/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -57,7 +57,7 @@ struct aead_ctx {
 
void *iv;
 
-   struct af_alg_completion completion;
+   struct crypto_wait wait;
 
unsigned long used;
 
@@ -648,10 +648,10 @@ static int aead_recvmsg_sync(struct socket *sock, struct 
msghdr *msg, int flags)
   used, ctx->iv);
aead_request_set_ad(>aead_req, ctx->aead_assoclen);
 
-   err = af_alg_wait_for_completion(ctx->enc ?
-crypto_aead_encrypt(>aead_req) :
-crypto_aead_decrypt(>aead_req),
->completion);
+   err = crypto_wait_req(ctx->enc ?
+crypto_aead_encrypt(>aead_req) :
+crypto_aead_decrypt(>aead_req),
+>wait);
 
if (err) {
/* EBADMSG implies a valid cipher operation took place */
@@ -912,7 +912,7 @@ static int aead_accept_parent_nokey(void *private, struct 
sock *sk)
ctx->enc = 0;
ctx->tsgl.cur = 0;
ctx->aead_assoclen = 0;
-   af_alg_init_completion(>completion);
+   crypto_init_wait(>wait);
sg_init_table(ctx->tsgl.sg, ALG_MAX_PAGES);
INIT_LIST_HEAD(>list);
 
@@ -920,7 +920,7 @@ static int aead_accept_parent_nokey(void *private, struct 
sock *sk)
 
aead_request_set_tfm(>aead_req, aead);
aead_request_set_callback(>aead_req, CRYPTO_TFM_REQ_MAY_BACKLOG,
- af_alg_complete, >completion);
+ crypto_req_done, >wait);
 
sk->sk_destruct = aead_sock_destruct;
 
diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
index 5e92bd2..fd7a6010 100644
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -26,7 +26,7 @@ struct hash_ctx {
 
u8 *result;
 
-   struct af_alg_completion completion;
+   struct crypto_wait wait;
 
unsigned int len;
bool more;
@@ -88,8 +88,8 @@ static int hash_sendmsg(struct socket *sock, struct msghdr 
*msg,
if ((msg->msg_flags & MSG_MORE))
hash_free_result(sk, ctx);
 
-   err = af_alg_wait_for_completion(crypto_ahash_init(>req),
-   >completion);
+   err = crypto_wait_req(crypto_ahash_init(>req),
+   >wait);
if (err)
goto unlock;
}
@@ -110,8 +110,8 @@ static int hash_sendmsg(struct socket *sock, struct msghdr 
*msg,
 
ahash_request_set_crypt(>req, ctx->sgl.sg, NULL, len);
 
-   err = af_alg_wait_for_completion(crypto_ahash_update(>req),
->completion);
+   err = crypto_wait_req(crypto_ahash_update(>req),
+>wait);
af_alg_free_sg(>sgl);
if (err)
goto unlock;
@@