> On Fri, Nov 25, 2022 at 09:59:17AM +0100, Ard Biesheuvel wrote: > > Note that it is only used in shash implementations, given that they > > are the only ones that may receive unbounded inputs. > > Although typical usage probably doesn't stress this, the length of the > additional associated data presented to aead implementations is > unconstrained as well. At least in x86, they can end up processing > multiple megabytes in one chunk like the hash functions (if the > associated data is a big buffer described by a sg list created > with sg_init_one()). > Reviewing the two arm64 aead drivers, aes-ce-ccm-glue.c solves that by including this in the do/while loop in ccm_calculate_auth_mac(): n = min_t(u32, n, SZ_4K); /* yield NEON at least every 4k */ That was added by 36a916af641 ("crypto: arm64/aes-ccm - yield NEON when processing auth-only data") in 2021, also relying on 41691c44606b ("crypto: arm64/aes-ccm - reduce NEON begin/end calls for common case"). ghash-ce-glue.c seems to be missing that in its similar function named gcm_calculate_auth_mac().