On 07/08/2019 17:13, Pascal Van Leeuwen wrote: >>>> Seems there is no mistake in your code, it is some bug in aesni_intel implementation. >>>> If I disable this module, it works as expected (with aes generic and aes_i586). >>>> >>> That's odd though, considering there is a dedicated xts-aes-ni implementation, >>> i.e. I would not expect that to end up at the generic xts wrapper at all? >> >> Note it is 32bit system, AESNI XTS is under #ifdef CONFIG_X86_64 so it is not used. >> > Ok, so I guess no one bothered to make an optimized XTS version for i386. > I quickly browsed through the code - took me a while to realise the assembly is > "backwards" compared to the original Intel definition :-) - but I did not spot > anything obvious :-( > >> I guess it only ECB part ... Mystery solved, the skcipher subreq must be te last member in the struct. (Some comments in Adiantum code mentions it too, so I do not think it just hides the corruption after the struct. Seems like another magic requirement in crypto API :-) This chunk is enough to fix it for me: --- a/crypto/xts.c +++ b/crypto/xts.c @@ -33,8 +33,8 @@ struct xts_instance_ctx { struct rctx { le128 t, tcur; - struct skcipher_request subreq; int rem_bytes, is_encrypt; + struct skcipher_request subreq; }; While at it, shouldn't be is_encrypt bool? Thanks, Milan