On 3/16/2018 2:42 PM, Christophe LEROY wrote: > Le 16/03/2018 à 09:48, Horia Geantă a écrit : >> For SEC 2.x+, cipher in length must contain only the ciphertext length. >> In case of using hardware ICV checking, the ICV length is provided via >> the "extent" field of the descriptor pointer. >> >> Cc: <stable@xxxxxxxxxxxxxxx> # 4.8+ >> Fixes: 549bd8bc5987 ("crypto: talitos - Implement AEAD for SEC1 using HMAC_SNOOP_NO_AFEU") > > It looks like the issue comes more from commit fbb22137c4d9b ("crypto: > talitos - fix use of sg_link_tbl_len"), doesn't it ? > No, the first commit that breaks IPsec for SEC 2.x+ is the one I mentioned. Afterwards, the refactoring of helper functions lead to current situation where talitos_sg_map() is fed with "len" parameter that is used for two things: -HW S/G table entries generation -setting talitos pointer length But in certain cases (like pointer nr. 4 - cipher in - for SEC 2.x+ IPsec), talitos pointer length is only part of the total length, the other part being set in the "extent" pointer field. Currently talitos_sg_map() does not accommodate for this case. In order to keep the fix to a minimum I've overwritten talitos pointer length: -first talitos_sg_map() sets length to sg_link_tbl_len = cryptlen + authsize -in case of SEC 2.x IPsec, length is corrected to cryptlen (while extent = authsize) Regards, Horia