RE: [PATCH v4 10/24] crypto: x86/poly - limit FPU preemption

From: Elliott, Robert (Servers)
Date: Mon Nov 28 2022 - 13:50:13 EST

Next message: Doug Anderson: "Re: [PATCH v2 1/2] dt-bindings: arm: qcom: Adding DT binding for zombie"
Previous message: Jakub Kicinski: "Re: [PATCH net-next 00/13] rxrpc: Increasing SACK size and moving away from softirq, part 2"
In reply to: Elliott, Robert (Servers): "Re: [PATCH v4 10/24] crypto: x86/poly - limit FPU preemption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Fri, Nov 25, 2022 at 09:59:17AM +0100, Ard Biesheuvel wrote:
> > Note that it is only used in shash implementations, given that they
> > are the only ones that may receive unbounded inputs.
>
> Although typical usage probably doesn't stress this, the length of the
> additional associated data presented to aead implementations is
> unconstrained as well. At least in x86, they can end up processing
> multiple megabytes in one chunk like the hash functions (if the
> associated data is a big buffer described by a sg list created
> with sg_init_one()).
>

Reviewing the two arm64 aead drivers, aes-ce-ccm-glue.c solves that by
including this in the do/while loop in ccm_calculate_auth_mac():
n = min_t(u32, n, SZ_4K); /* yield NEON at least every 4k */

That was added by 36a916af641 ("crypto: arm64/aes-ccm - yield NEON
when processing auth-only data") in 2021, also relying on
41691c44606b ("crypto: arm64/aes-ccm - reduce NEON begin/end calls
for common case").

ghash-ce-glue.c seems to be missing that in its similar function named
gcm_calculate_auth_mac().

Next message: Doug Anderson: "Re: [PATCH v2 1/2] dt-bindings: arm: qcom: Adding DT binding for zombie"
Previous message: Jakub Kicinski: "Re: [PATCH net-next 00/13] rxrpc: Increasing SACK size and moving away from softirq, part 2"
In reply to: Elliott, Robert (Servers): "Re: [PATCH v4 10/24] crypto: x86/poly - limit FPU preemption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]