Herbert Xu wrote: > This was detected by the self-test thanks to Ard's chunking patch. > > I finally got around to testing this out on my ancient Via box. It > turns out that the workaround got the assembly wrong and we end up > doing count + initial cycles of the loop instead of just count. > > This obviously causes corruption, either by overwriting the source > that is yet to be processed, or writing over the end of the buffer. > > On CPUs that don't require the workaround only ECB is affected. > On Nano CPUs both ECB and CBC are affected. > > This patch fixes it by doing the subtraction prior to the assembly. > > Fixes: a76c1c23d0c3 ("crypto: padlock-aes - work around Nano CPU...") > Cc: <stable@xxxxxxxxxxxxxxx> > Reported-by: Jamie Heilman <jamie@xxxxxxxxxxxxxxxxxxxxx> > Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Yay! Tested against 4.14.55 and the self-test passes now on my Esther system. > diff --git a/drivers/crypto/padlock-aes.c b/drivers/crypto/padlock-aes.c > index 1c6cbda..09d823d 100644 > --- a/drivers/crypto/padlock-aes.c > +++ b/drivers/crypto/padlock-aes.c > @@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(const u8 *input, u8 *output, void *key, > return; > } > > + count -= initial; > + > if (initial) > asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */ > : "+S"(input), "+D"(output) > @@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(const u8 *input, u8 *output, void *key, > > asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */ > : "+S"(input), "+D"(output) > - : "d"(control_word), "b"(key), "c"(count - initial)); > + : "d"(control_word), "b"(key), "c"(count)); > } > > static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key, > @@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key, > if (count < cbc_fetch_blocks) > return cbc_crypt(input, output, key, iv, control_word, count); > > + count -= initial; > + > if (initial) > asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */ > : "+S" (input), "+D" (output), "+a" (iv) > @@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key, > > asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */ > : "+S" (input), "+D" (output), "+a" (iv) > - : "d" (control_word), "b" (key), "c" (count-initial)); > + : "d" (control_word), "b" (key), "c" (count)); > return iv; > } > > -- > Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- Jamie Heilman http://audible.transient.net/~jamie/