drivers/nvme/host/auth.c | 1 + drivers/nvme/target/auth.c | 3 ++- drivers/nvme/target/fabrics-cmd-auth.c | 1 + drivers/nvme/target/nvmet.h | 1 + 4 files changed, 5 insertions(+), 1 deletion(-)
From: Alistair Francis <alistair.francis@wdc.com>
Commit 7e091add9c43 "nvme-auth: update sc_c in host response" added
the sc_c variable to the dhchap queue context structure which is
appropriately set during negotiate and then used in the host response.
This breaks secure concat connections with a Linux target as the target
code wasn't updated at the same time. This patch fixes this by adding a
new sc_c variable to the host hash calculations.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
drivers/nvme/host/auth.c | 1 +
drivers/nvme/target/auth.c | 3 ++-
drivers/nvme/target/fabrics-cmd-auth.c | 1 +
drivers/nvme/target/nvmet.h | 1 +
4 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c
index a01178caf15b..19980122d3d5 100644
--- a/drivers/nvme/host/auth.c
+++ b/drivers/nvme/host/auth.c
@@ -492,6 +492,7 @@ static int nvme_auth_dhchap_setup_host_response(struct nvme_ctrl *ctrl,
ret = crypto_shash_update(shash, buf, 2);
if (ret)
goto out;
+ memset(buf, 0, sizeof(buf));
*buf = chap->sc_c;
ret = crypto_shash_update(shash, buf, 1);
if (ret)
diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c
index b340380f3892..f3cf7236e080 100644
--- a/drivers/nvme/target/auth.c
+++ b/drivers/nvme/target/auth.c
@@ -367,7 +367,7 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response,
ret = crypto_shash_update(shash, buf, 2);
if (ret)
goto out;
- memset(buf, 0, 4);
+ *buf = req->sq->sc_c;
ret = crypto_shash_update(shash, buf, 1);
if (ret)
goto out;
@@ -377,6 +377,7 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response,
ret = crypto_shash_update(shash, ctrl->hostnqn, strlen(ctrl->hostnqn));
if (ret)
goto out;
+ memset(buf, 0, sizeof(buf));
ret = crypto_shash_update(shash, buf, 1);
if (ret)
goto out;
diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
index bf01ec414c55..50639e6e31eb 100644
--- a/drivers/nvme/target/fabrics-cmd-auth.c
+++ b/drivers/nvme/target/fabrics-cmd-auth.c
@@ -43,6 +43,7 @@ static u8 nvmet_auth_negotiate(struct nvmet_req *req, void *d)
data->auth_protocol[0].dhchap.halen,
data->auth_protocol[0].dhchap.dhlen);
req->sq->dhchap_tid = le16_to_cpu(data->t_id);
+ req->sq->sc_c = le16_to_cpu(data->sc_c);
if (data->sc_c != NVME_AUTH_SECP_NOSC) {
if (!IS_ENABLED(CONFIG_NVME_TARGET_TCP_TLS))
return NVME_AUTH_DHCHAP_FAILURE_CONCAT_MISMATCH;
diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
index 51df72f5e89b..f3b09f4099f0 100644
--- a/drivers/nvme/target/nvmet.h
+++ b/drivers/nvme/target/nvmet.h
@@ -159,6 +159,7 @@ struct nvmet_sq {
bool authenticated;
struct delayed_work auth_expired_work;
u16 dhchap_tid;
+ u8 sc_c;
u8 dhchap_status;
u8 dhchap_step;
u8 *dhchap_c1;
--
2.51.0Hi,
kernel test robot noticed the following build warnings:
[auto build test WARNING on v6.18-rc3]
[also build test WARNING on linus/master next-20251029]
[cannot apply to linux-nvme/for-next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/alistair23-gmail-com/nvmet-auth-update-sc_c-in-target-host-hash-calculation/20251029-125459
base: v6.18-rc3
patch link: https://lore.kernel.org/r/20251029045327.2035337-1-alistair.francis%40wdc.com
patch subject: [PATCH] nvmet-auth: update sc_c in target host hash calculation
config: mips-randconfig-r132-20251030 (https://download.01.org/0day-ci/archive/20251030/202510301404.e9AFI3TO-lkp@intel.com/config)
compiler: mips64-linux-gcc (GCC) 8.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251030/202510301404.e9AFI3TO-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202510301404.e9AFI3TO-lkp@intel.com/
sparse warnings: (new ones prefixed by >>)
>> drivers/nvme/target/fabrics-cmd-auth.c:46:25: sparse: sparse: cast to restricted __le16
vim +46 drivers/nvme/target/fabrics-cmd-auth.c
33
34 static u8 nvmet_auth_negotiate(struct nvmet_req *req, void *d)
35 {
36 struct nvmet_ctrl *ctrl = req->sq->ctrl;
37 struct nvmf_auth_dhchap_negotiate_data *data = d;
38 int i, hash_id = 0, fallback_hash_id = 0, dhgid, fallback_dhgid;
39
40 pr_debug("%s: ctrl %d qid %d: data sc_d %d napd %d authid %d halen %d dhlen %d\n",
41 __func__, ctrl->cntlid, req->sq->qid,
42 data->sc_c, data->napd, data->auth_protocol[0].dhchap.authid,
43 data->auth_protocol[0].dhchap.halen,
44 data->auth_protocol[0].dhchap.dhlen);
45 req->sq->dhchap_tid = le16_to_cpu(data->t_id);
> 46 req->sq->sc_c = le16_to_cpu(data->sc_c);
47 if (data->sc_c != NVME_AUTH_SECP_NOSC) {
48 if (!IS_ENABLED(CONFIG_NVME_TARGET_TCP_TLS))
49 return NVME_AUTH_DHCHAP_FAILURE_CONCAT_MISMATCH;
50 /* Secure concatenation can only be enabled on the admin queue */
51 if (req->sq->qid)
52 return NVME_AUTH_DHCHAP_FAILURE_CONCAT_MISMATCH;
53 switch (data->sc_c) {
54 case NVME_AUTH_SECP_NEWTLSPSK:
55 if (nvmet_queue_tls_keyid(req->sq))
56 return NVME_AUTH_DHCHAP_FAILURE_CONCAT_MISMATCH;
57 break;
58 case NVME_AUTH_SECP_REPLACETLSPSK:
59 if (!nvmet_queue_tls_keyid(req->sq))
60 return NVME_AUTH_DHCHAP_FAILURE_CONCAT_MISMATCH;
61 break;
62 default:
63 return NVME_AUTH_DHCHAP_FAILURE_CONCAT_MISMATCH;
64 }
65 ctrl->concat = true;
66 }
67
68 if (data->napd != 1)
69 return NVME_AUTH_DHCHAP_FAILURE_HASH_UNUSABLE;
70
71 if (data->auth_protocol[0].dhchap.authid !=
72 NVME_AUTH_DHCHAP_AUTH_ID)
73 return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
74
75 for (i = 0; i < data->auth_protocol[0].dhchap.halen; i++) {
76 u8 host_hmac_id = data->auth_protocol[0].dhchap.idlist[i];
77
78 if (!fallback_hash_id &&
79 crypto_has_shash(nvme_auth_hmac_name(host_hmac_id), 0, 0))
80 fallback_hash_id = host_hmac_id;
81 if (ctrl->shash_id != host_hmac_id)
82 continue;
83 hash_id = ctrl->shash_id;
84 break;
85 }
86 if (hash_id == 0) {
87 if (fallback_hash_id == 0) {
88 pr_debug("%s: ctrl %d qid %d: no usable hash found\n",
89 __func__, ctrl->cntlid, req->sq->qid);
90 return NVME_AUTH_DHCHAP_FAILURE_HASH_UNUSABLE;
91 }
92 pr_debug("%s: ctrl %d qid %d: no usable hash found, falling back to %s\n",
93 __func__, ctrl->cntlid, req->sq->qid,
94 nvme_auth_hmac_name(fallback_hash_id));
95 ctrl->shash_id = fallback_hash_id;
96 }
97
98 dhgid = -1;
99 fallback_dhgid = -1;
100 for (i = 0; i < data->auth_protocol[0].dhchap.dhlen; i++) {
101 int tmp_dhgid = data->auth_protocol[0].dhchap.idlist[i + 30];
102
103 if (tmp_dhgid != ctrl->dh_gid) {
104 dhgid = tmp_dhgid;
105 break;
106 }
107 if (fallback_dhgid < 0) {
108 const char *kpp = nvme_auth_dhgroup_kpp(tmp_dhgid);
109
110 if (crypto_has_kpp(kpp, 0, 0))
111 fallback_dhgid = tmp_dhgid;
112 }
113 }
114 if (dhgid < 0) {
115 if (fallback_dhgid < 0) {
116 pr_debug("%s: ctrl %d qid %d: no usable DH group found\n",
117 __func__, ctrl->cntlid, req->sq->qid);
118 return NVME_AUTH_DHCHAP_FAILURE_DHGROUP_UNUSABLE;
119 }
120 pr_debug("%s: ctrl %d qid %d: configured DH group %s not found\n",
121 __func__, ctrl->cntlid, req->sq->qid,
122 nvme_auth_dhgroup_name(fallback_dhgid));
123 ctrl->dh_gid = fallback_dhgid;
124 }
125 if (ctrl->dh_gid == NVME_AUTH_DHGROUP_NULL && ctrl->concat) {
126 pr_debug("%s: ctrl %d qid %d: NULL DH group invalid "
127 "for secure channel concatenation\n", __func__,
128 ctrl->cntlid, req->sq->qid);
129 return NVME_AUTH_DHCHAP_FAILURE_CONCAT_MISMATCH;
130 }
131 pr_debug("%s: ctrl %d qid %d: selected DH group %s (%d)\n",
132 __func__, ctrl->cntlid, req->sq->qid,
133 nvme_auth_dhgroup_name(ctrl->dh_gid), ctrl->dh_gid);
134 return 0;
135 }
136
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
On 10/29/25 05:53, alistair23@gmail.com wrote: > From: Alistair Francis <alistair.francis@wdc.com> > > Commit 7e091add9c43 "nvme-auth: update sc_c in host response" added > the sc_c variable to the dhchap queue context structure which is > appropriately set during negotiate and then used in the host response. > > This breaks secure concat connections with a Linux target as the target > code wasn't updated at the same time. This patch fixes this by adding a > new sc_c variable to the host hash calculations. > > Signed-off-by: Alistair Francis <alistair.francis@wdc.com> > --- > drivers/nvme/host/auth.c | 1 + > drivers/nvme/target/auth.c | 3 ++- > drivers/nvme/target/fabrics-cmd-auth.c | 1 + > drivers/nvme/target/nvmet.h | 1 + > 4 files changed, 5 insertions(+), 1 deletion(-) > I've already send a similar patch for this, which actually should already have been merged. Can you check if that works for you? Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@suse.de +49 911 74053 688 SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
On Wed, Oct 29, 2025 at 6:10 PM Hannes Reinecke <hare@suse.de> wrote: > > On 10/29/25 05:53, alistair23@gmail.com wrote: > > From: Alistair Francis <alistair.francis@wdc.com> > > > > Commit 7e091add9c43 "nvme-auth: update sc_c in host response" added > > the sc_c variable to the dhchap queue context structure which is > > appropriately set during negotiate and then used in the host response. > > > > This breaks secure concat connections with a Linux target as the target > > code wasn't updated at the same time. This patch fixes this by adding a > > new sc_c variable to the host hash calculations. > > > > Signed-off-by: Alistair Francis <alistair.francis@wdc.com> > > --- > > drivers/nvme/host/auth.c | 1 + > > drivers/nvme/target/auth.c | 3 ++- > > drivers/nvme/target/fabrics-cmd-auth.c | 1 + > > drivers/nvme/target/nvmet.h | 1 + > > 4 files changed, 5 insertions(+), 1 deletion(-) > > > I've already send a similar patch for this, which actually should > already have been merged. > Can you check if that works for you? I checked master when I sent this and there was nothing applied. Is it in a different tree? Alistair > > Cheers, > > Hannes > -- > Dr. Hannes Reinecke Kernel Storage Architect > hare@suse.de +49 911 74053 688 > SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg > HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
On 10/29/25 12:20, Alistair Francis wrote: > On Wed, Oct 29, 2025 at 6:10 PM Hannes Reinecke <hare@suse.de> wrote: >> >> On 10/29/25 05:53, alistair23@gmail.com wrote: >>> From: Alistair Francis <alistair.francis@wdc.com> >>> >>> Commit 7e091add9c43 "nvme-auth: update sc_c in host response" added >>> the sc_c variable to the dhchap queue context structure which is >>> appropriately set during negotiate and then used in the host response. >>> >>> This breaks secure concat connections with a Linux target as the target >>> code wasn't updated at the same time. This patch fixes this by adding a >>> new sc_c variable to the host hash calculations. >>> >>> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> >>> --- >>> drivers/nvme/host/auth.c | 1 + >>> drivers/nvme/target/auth.c | 3 ++- >>> drivers/nvme/target/fabrics-cmd-auth.c | 1 + >>> drivers/nvme/target/nvmet.h | 1 + >>> 4 files changed, 5 insertions(+), 1 deletion(-) >>> >> I've already send a similar patch for this, which actually should >> already have been merged. >> Can you check if that works for you? > > I checked master when I sent this and there was nothing applied. Is it > in a different tree? > https://lore.kernel.org/linux-nvme/aPl4-6WQ940kUso7@kbusch-mbp/T/#t Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@suse.de +49 911 74053 688 SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
On Wed, Oct 29, 2025 at 9:33 PM Hannes Reinecke <hare@suse.de> wrote: > > On 10/29/25 12:20, Alistair Francis wrote: > > On Wed, Oct 29, 2025 at 6:10 PM Hannes Reinecke <hare@suse.de> wrote: > >> > >> On 10/29/25 05:53, alistair23@gmail.com wrote: > >>> From: Alistair Francis <alistair.francis@wdc.com> > >>> > >>> Commit 7e091add9c43 "nvme-auth: update sc_c in host response" added > >>> the sc_c variable to the dhchap queue context structure which is > >>> appropriately set during negotiate and then used in the host response. > >>> > >>> This breaks secure concat connections with a Linux target as the target > >>> code wasn't updated at the same time. This patch fixes this by adding a > >>> new sc_c variable to the host hash calculations. > >>> > >>> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> > >>> --- > >>> drivers/nvme/host/auth.c | 1 + > >>> drivers/nvme/target/auth.c | 3 ++- > >>> drivers/nvme/target/fabrics-cmd-auth.c | 1 + > >>> drivers/nvme/target/nvmet.h | 1 + > >>> 4 files changed, 5 insertions(+), 1 deletion(-) > >>> > >> I've already send a similar patch for this, which actually should > >> already have been merged. > >> Can you check if that works for you? > > > > I checked master when I sent this and there was nothing applied. Is it > > in a different tree? > > > > https://lore.kernel.org/linux-nvme/aPl4-6WQ940kUso7@kbusch-mbp/T/#t Thanks. Your patch is now in master, but doesn't fix the issue for me. I still get failures with a secure concat connection. My patch (rebased on top of yours) fixes the issue for me Alistair > > Cheers, > > Hannes > -- > Dr. Hannes Reinecke Kernel Storage Architect > hare@suse.de +49 911 74053 688 > SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg > HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
On 11/3/25 03:28, Alistair Francis wrote: > On Wed, Oct 29, 2025 at 9:33 PM Hannes Reinecke <hare@suse.de> wrote: >> >> On 10/29/25 12:20, Alistair Francis wrote: >>> On Wed, Oct 29, 2025 at 6:10 PM Hannes Reinecke <hare@suse.de> wrote: >>>> >>>> On 10/29/25 05:53, alistair23@gmail.com wrote: >>>>> From: Alistair Francis <alistair.francis@wdc.com> >>>>> >>>>> Commit 7e091add9c43 "nvme-auth: update sc_c in host response" added >>>>> the sc_c variable to the dhchap queue context structure which is >>>>> appropriately set during negotiate and then used in the host response. >>>>> >>>>> This breaks secure concat connections with a Linux target as the target >>>>> code wasn't updated at the same time. This patch fixes this by adding a >>>>> new sc_c variable to the host hash calculations. >>>>> >>>>> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> >>>>> --- >>>>> drivers/nvme/host/auth.c | 1 + >>>>> drivers/nvme/target/auth.c | 3 ++- >>>>> drivers/nvme/target/fabrics-cmd-auth.c | 1 + >>>>> drivers/nvme/target/nvmet.h | 1 + >>>>> 4 files changed, 5 insertions(+), 1 deletion(-) >>>>> >>>> I've already send a similar patch for this, which actually should >>>> already have been merged. >>>> Can you check if that works for you? >>> >>> I checked master when I sent this and there was nothing applied. Is it >>> in a different tree? >>> >> >> https://lore.kernel.org/linux-nvme/aPl4-6WQ940kUso7@kbusch-mbp/T/#t > > Thanks. > > Your patch is now in master, but doesn't fix the issue for me. I still > get failures with a secure concat connection. > > My patch (rebased on top of yours) fixes the issue for me > Ah. So please add a proper 'Fixes' tag. (and fixup the kbuild failure while at it ...) Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@suse.de +49 911 74053 688 SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
© 2016 - 2026 Red Hat, Inc.