On Mon, Aug 20, 2018 at 04:58:34PM +0200, Ard Biesheuvel wrote: > Commit 71e52c278c54 ("crypto: arm64/aes-ce-gcm - operate on > two input blocks at a time") modified the granularity at which > the AES/GCM code processes its input to allow subsequent changes > to be applied that improve performance by using aggregation to > process multiple input blocks at once. > > For this reason, it doubled the algorithm's 'chunksize' property > to 2 x AES_BLOCK_SIZE, but retained the non-SIMD fallback path that > processes a single block at a time. In some cases, this violates the > skcipher scatterwalk API, by calling skcipher_walk_done() with a > non-zero residue value for a chunk that is expected to be handled > in its entirety. This results in a WARN_ON() to be hit by the TLS > self test code, but is likely to break other user cases as well. > Unfortunately, none of the current test cases exercises this exact > code path at the moment. > > Fixes: 71e52c278c54 ("crypto: arm64/aes-ce-gcm - operate on two ...") > Reported-by: Vakul Garg <vakul.garg@xxxxxxx> > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> Patch applied. Thanks. -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt