[dm-devel] Deadlock when using crypto API for block devices

Dave Watson davejwatson at fb.com
Fri Aug 24 16:02:55 UTC 2018

On 08/24/18 09:22 PM, Herbert Xu wrote:
> > > BTW. gcmaes_crypt_by_sg also contains GFP_ATOMIC and -ENOMEM, behind a 
> > > pretty complex condition. Do you mean that this condition is part of the 
> > > contract that the crypto API provides?
> > 
> > This is an implementation defect.  I think for this case we should
> > fall back to software GCM if the accelerated version fails.
> > 
> > > Should "req->src->offset + req->src->length < PAGE_SIZE" use "<=" instead? 
> > > Because if the data ends up at page boundary, it will use the atomic 
> > > allocation that can fail.
> > 
> > This condition does look strange.  It's introduced by the commit
> > e845520707f85c539ce04bb73c6070e9441480be.   Dave, what exactly is
> > it meant to do?

The aesni routines still require linear AAD data, the condition checks
that the AAD data is linear, and if not, kmallocs and copies it to a
linear buffer.

Yes, the condition looks like it could be <= PAGE_SIZE, similar to the
one in gcmaes_encrypt.

Yes, we should fall back to software gcm if kmalloc fails, although
AAD data is usually small, and it is probably worth having a small
stack buffer before attempting to kmalloc.

More information about the dm-devel mailing list