From nobody Sun May 24 18:42:23 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C88312D3EC7; Sat, 23 May 2026 19:43:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779565389; cv=none; b=NDAv0se93hvBdmakv75t4PralmPnwH9S6E3qM8+3Kpo/MzFOOmiaAwDRQ9uRDuE/84E7Y7cl76AyWdTzVtrjtFCiRk+FQYqi/oOtqRpdKtYVNW9mF4aNLslLRCgUFvuncpSI9G6kgv+xH02qvPzHe86kaI/FOw5kGeWeLXsfGDo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779565389; c=relaxed/simple; bh=DIqx3AgEaekumcir7z4dd96izRL4ntx2FIL2t/OUE5E=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=aEP2+XNlgVfamXVPuoFttppAywCHRe29LLF/UUCH5zShH5R8ZaVFNocl2oF5+c7Tp1bZjUQnjsCiNLeV6KgPcdahRfkYzhS9Y+Frm59JrbsNDCeC2UoI0KNQsc4TTkFJf2u/QurfRAN2BSl5YgDTyHeHfxwag8IZJgnyAHsv6og= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=J3DuJEtx; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="J3DuJEtx" Received: by smtp.kernel.org (Postfix) with ESMTPS id 7EA40C2BCB8; Sat, 23 May 2026 19:43:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779565389; bh=DIqx3AgEaekumcir7z4dd96izRL4ntx2FIL2t/OUE5E=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=J3DuJEtxIXXpFTZFQjzaAjJ5zgn8UQpRrk3PWGoAszcTes5rQHxlw09TcFrVa/NKV 3GUMCy/GjwP+MK52USEqXxM+44et3pZ1+D47P5oTGVhetlgprv+nYBra5gEVoY6pbI qBELdNBR1uluDuXzT20tf27EHoYHLSQbfmxCFZO4YcB8JEfsmUP/wDow9VffgfzBXt jdDQOE7tor58AHh4KOPQMEPO4mYB3ibkHeLp/r+gNC7Pa1m7iAbH0g3NkTO4l22x5n MyjJqnPetj2dEz+AT6dy+qsrcQ8HNzoh2c4m2YI7PJY84B/hCrtaprU00i4VNQnI9g YsyvvmAkdLNYA== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67D3FCD5BB1; Sat, 23 May 2026 19:43:09 +0000 (UTC) From: Demi Marie Obenour via B4 Relay Date: Sat, 23 May 2026 15:43:02 -0400 Subject: [PATCH 1/3] net: Remove support for AIO on sockets Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260523-af-alg-harden-v1-1-c76755c3a5c5@gmail.com> References: <20260523-af-alg-harden-v1-0-c76755c3a5c5@gmail.com> In-Reply-To: <20260523-af-alg-harden-v1-0-c76755c3a5c5@gmail.com> To: Herbert Xu , "David S. Miller" , Eric Dumazet , Kuniyuki Iwashima , Paolo Abeni , Willem de Bruijn , Jens Axboe , Jakub Kicinski , Simon Horman , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Namhyung Kim , Mark Rutland , Alexander Shishkin , Jiri Olsa , Ian Rogers , Adrian Hunter , James Clark , Jonathan Corbet , Shuah Khan , Eric Biggers , Ard Biesheuvel Cc: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, io-uring@vger.kernel.org, netdev@vger.kernel.org, linux-perf-users@vger.kernel.org, linux-doc@vger.kernel.org, Demi Marie Obenour X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779565388; l=11844; i=demiobenour@gmail.com; s=20250731; h=from:subject:message-id; bh=X4VpiwrEjiilqzmO26Lw8ocnY8n8PVtOcMW3zv/PW5M=; b=6qKjn9u6wn2u2hWtWsysheyBTd7UHG7kVKQYGIioKUJEsOegRhNcWJ72Cy0OEOte+9lRHK87v VdyS6TDXuZTC3+VOVpU6lzm4DVDbHFqXMnPDORctVqwON1KrrE4pf1H X-Developer-Key: i=demiobenour@gmail.com; a=ed25519; pk=4iGY+ynEKxIfs+fIUK9EzsvZ44yGE0GvXLeLTPKKPhI= X-Endpoint-Received: by B4 Relay for demiobenour@gmail.com/20250731 with auth_id=473 X-Original-From: Demi Marie Obenour Reply-To: demiobenour@gmail.com From: Demi Marie Obenour The only user of msg->msg_iocb was AF_ALG, but that's deprecated. It can be removed entirely at the cost of only supporting synchronous operations. This doesn't break userspace, which will silently block (for a bounded amount of time) in io_submit instead of operating asynchronously. This also makes struct msghdr smaller, helping every other caller of sendmsg(). Signed-off-by: Demi Marie Obenour --- crypto/af_alg.c | 33 +------------- crypto/algif_aead.c | 39 ++++------------ crypto/algif_skcipher.c | 62 +++++-----------------= ---- include/crypto/if_alg.h | 5 +-- include/linux/socket.h | 1 - io_uring/net.c | 1 - net/compat.c | 1 - net/socket.c | 7 +-- tools/perf/trace/beauty/include/linux/socket.h | 1 - 9 files changed, 25 insertions(+), 125 deletions(-) diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 48c53f488e0fd30818e72439fe0c0d7e4cee1432..8ccf7a737cd6ca9a5d5bf47050c= 9afea0dfd61bf 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -1085,35 +1085,6 @@ void af_alg_free_resources(struct af_alg_async_req *= areq) } EXPORT_SYMBOL_GPL(af_alg_free_resources); =20 -/** - * af_alg_async_cb - AIO callback handler - * @data: async request completion data - * @err: if non-zero, error result to be returned via ki_complete(); - * otherwise return the AIO output length via ki_complete(). - * - * This handler cleans up the struct af_alg_async_req upon completion of t= he - * AIO operation. - * - * The number of bytes to be generated with the AIO operation must be set - * in areq->outlen before the AIO callback handler is invoked. - */ -void af_alg_async_cb(void *data, int err) -{ - struct af_alg_async_req *areq =3D data; - struct sock *sk =3D areq->sk; - struct kiocb *iocb =3D areq->iocb; - unsigned int resultlen; - - /* Buffer size written by crypto operation. */ - resultlen =3D areq->outlen; - - af_alg_free_resources(areq); - sock_put(sk); - - iocb->ki_complete(iocb, err ? err : (int)resultlen); -} -EXPORT_SYMBOL_GPL(af_alg_async_cb); - /** * af_alg_poll - poll system call handler * @file: file pointer @@ -1154,8 +1125,8 @@ struct af_alg_async_req *af_alg_alloc_areq(struct soc= k *sk, struct af_alg_ctx *ctx =3D alg_sk(sk)->private; struct af_alg_async_req *areq; =20 - /* Only one AIO request can be in flight. */ - if (ctx->inflight) + /* Only one request can be in flight. */ + if (WARN_ON_ONCE(ctx->inflight)) return ERR_PTR(-EBUSY); =20 areq =3D sock_kmalloc(sk, areqlen, GFP_KERNEL); diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c index c6c2ce21895dd7df51dc825ed886ba7e1aa37130..60f06597cb0b13036bc975641a0= b02ea8a41ad03 100644 --- a/crypto/algif_aead.c +++ b/crypto/algif_aead.c @@ -197,37 +197,14 @@ static int _aead_recvmsg(struct socket *sock, struct = msghdr *msg, aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen); aead_request_set_tfm(&areq->cra_u.aead_req, tfm); =20 - if (msg->msg_iocb && !is_sync_kiocb(msg->msg_iocb)) { - /* AIO operation */ - sock_hold(sk); - areq->iocb =3D msg->msg_iocb; - - /* Remember output size that will be generated. */ - areq->outlen =3D outlen; - - aead_request_set_callback(&areq->cra_u.aead_req, - CRYPTO_TFM_REQ_MAY_SLEEP, - af_alg_async_cb, areq); - err =3D ctx->enc ? crypto_aead_encrypt(&areq->cra_u.aead_req) : - crypto_aead_decrypt(&areq->cra_u.aead_req); - - /* AIO operation in progress */ - if (err =3D=3D -EINPROGRESS) - return -EIOCBQUEUED; - - sock_put(sk); - } else { - /* Synchronous operation */ - aead_request_set_callback(&areq->cra_u.aead_req, - CRYPTO_TFM_REQ_MAY_SLEEP | - CRYPTO_TFM_REQ_MAY_BACKLOG, - crypto_req_done, &ctx->wait); - err =3D crypto_wait_req(ctx->enc ? - crypto_aead_encrypt(&areq->cra_u.aead_req) : - crypto_aead_decrypt(&areq->cra_u.aead_req), - &ctx->wait); - } - + aead_request_set_callback(&areq->cra_u.aead_req, + CRYPTO_TFM_REQ_MAY_SLEEP | + CRYPTO_TFM_REQ_MAY_BACKLOG, + crypto_req_done, &ctx->wait); + err =3D crypto_wait_req(ctx->enc ? + crypto_aead_encrypt(&areq->cra_u.aead_req) : + crypto_aead_decrypt(&areq->cra_u.aead_req), + &ctx->wait); =20 free: af_alg_free_resources(areq); diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index ba0a17fd95aca22aa58ebf510c7d9b5f0cea2c2e..9dbccabd87b13920c27aff5a450= a235cc6a27d59 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -79,20 +79,6 @@ static int algif_skcipher_export(struct sock *sk, struct= skcipher_request *req) return err; } =20 -static void algif_skcipher_done(void *data, int err) -{ - struct af_alg_async_req *areq =3D data; - struct sock *sk =3D areq->sk; - - if (err) - goto out; - - err =3D algif_skcipher_export(sk, &areq->cra_u.skcipher_req); - -out: - af_alg_async_cb(data, err); -} - static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, size_t ignored, int flags) { @@ -171,43 +157,19 @@ static int _skcipher_recvmsg(struct socket *sock, str= uct msghdr *msg, cflags |=3D CRYPTO_SKCIPHER_REQ_CONT; } =20 - if (msg->msg_iocb && !is_sync_kiocb(msg->msg_iocb)) { - /* AIO operation */ - sock_hold(sk); - areq->iocb =3D msg->msg_iocb; + skcipher_request_set_callback(&areq->cra_u.skcipher_req, + cflags | + CRYPTO_TFM_REQ_MAY_SLEEP | + CRYPTO_TFM_REQ_MAY_BACKLOG, + crypto_req_done, &ctx->wait); + err =3D crypto_wait_req(ctx->enc ? + crypto_skcipher_encrypt(&areq->cra_u.skcipher_req) : + crypto_skcipher_decrypt(&areq->cra_u.skcipher_req), + &ctx->wait); =20 - /* Remember output size that will be generated. */ - areq->outlen =3D len; - - skcipher_request_set_callback(&areq->cra_u.skcipher_req, - cflags | - CRYPTO_TFM_REQ_MAY_SLEEP, - algif_skcipher_done, areq); - err =3D ctx->enc ? - crypto_skcipher_encrypt(&areq->cra_u.skcipher_req) : - crypto_skcipher_decrypt(&areq->cra_u.skcipher_req); - - /* AIO operation in progress */ - if (err =3D=3D -EINPROGRESS) - return -EIOCBQUEUED; - - sock_put(sk); - } else { - /* Synchronous operation */ - skcipher_request_set_callback(&areq->cra_u.skcipher_req, - cflags | - CRYPTO_TFM_REQ_MAY_SLEEP | - CRYPTO_TFM_REQ_MAY_BACKLOG, - crypto_req_done, &ctx->wait); - err =3D crypto_wait_req(ctx->enc ? - crypto_skcipher_encrypt(&areq->cra_u.skcipher_req) : - crypto_skcipher_decrypt(&areq->cra_u.skcipher_req), - &ctx->wait); - - if (!err) - err =3D algif_skcipher_export( - sk, &areq->cra_u.skcipher_req); - } + if (!err) + err =3D algif_skcipher_export( + sk, &areq->cra_u.skcipher_req); =20 free: af_alg_free_resources(areq); diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index 0cc8fa749f68d2356789f72771c9e550b79e0b3d..62867daca47d76c9ea1a7ed2331= 88788c5f6c3c0 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -80,7 +80,6 @@ struct af_alg_rsgl { =20 /** * struct af_alg_async_req - definition of crypto request - * @iocb: IOCB for AIO operations * @sk: Socket the request is associated with * @first_rsgl: First RX SG * @last_rsgl: Pointer to last RX SG @@ -92,7 +91,6 @@ struct af_alg_rsgl { * @cra_u: Cipher request */ struct af_alg_async_req { - struct kiocb *iocb; struct sock *sk; =20 struct af_alg_rsgl first_rsgl; @@ -138,7 +136,7 @@ struct af_alg_async_req { * @write: True if we are in the middle of a write. * @init: True if metadata has been sent. * @len: Length of memory allocated for this data structure. - * @inflight: Non-zero when AIO requests are in flight. + * @inflight: Non-zero when requests are in flight, for debugging only. */ struct af_alg_ctx { struct list_head tsgl_list; @@ -237,7 +235,6 @@ int af_alg_wait_for_data(struct sock *sk, unsigned flag= s, unsigned min); int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, unsigned int ivsize); void af_alg_free_resources(struct af_alg_async_req *areq); -void af_alg_async_cb(void *data, int err); __poll_t af_alg_poll(struct file *file, struct socket *sock, poll_table *wait); struct af_alg_async_req *af_alg_alloc_areq(struct sock *sk, diff --git a/include/linux/socket.h b/include/linux/socket.h index ec4a0a0257939a5363c55bed3ccb20182965b2e3..3ffdfe184b23d0a739e095407e9= 56885d116c299 100644 --- a/include/linux/socket.h +++ b/include/linux/socket.h @@ -89,7 +89,6 @@ struct msghdr { bool msg_get_inq : 1;/* return INQ after receive */ unsigned int msg_flags; /* flags on received message */ __kernel_size_t msg_controllen; /* ancillary data buffer length */ - struct kiocb *msg_iocb; /* ptr to iocb for async requests */ struct ubuf_info *msg_ubuf; int (*sg_from_iter)(struct sk_buff *skb, struct iov_iter *from, size_t length); diff --git a/io_uring/net.c b/io_uring/net.c index 30cd22c0b934b97ce6e265756b24daca7d398361..22100933966af547dfe6a52e69f= c6882b4197234 100644 --- a/io_uring/net.c +++ b/io_uring/net.c @@ -771,7 +771,6 @@ static int io_recvmsg_prep_setup(struct io_kiocb *req) kmsg->msg.msg_control =3D NULL; kmsg->msg.msg_get_inq =3D 1; kmsg->msg.msg_controllen =3D 0; - kmsg->msg.msg_iocb =3D NULL; kmsg->msg.msg_ubuf =3D NULL; =20 if (req->flags & REQ_F_BUFFER_SELECT) diff --git a/net/compat.c b/net/compat.c index 2c9bd0edac997bc8c6ebd1bc8b92d8437ff32ea4..d68cf9c3aad5f7f1de84edbfffc= f99d71e89292a 100644 --- a/net/compat.c +++ b/net/compat.c @@ -75,7 +75,6 @@ int __get_compat_msghdr(struct msghdr *kmsg, if (msg->msg_iovlen > UIO_MAXIOV) return -EMSGSIZE; =20 - kmsg->msg_iocb =3D NULL; kmsg->msg_ubuf =3D NULL; return 0; } diff --git a/net/socket.c b/net/socket.c index 22a412fdec079cf8fd829a15236de9daea09d2f2..9785363858cef0c4e6f0efc45b1= 7c3d2add5a53c 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1213,8 +1213,7 @@ static ssize_t sock_read_iter(struct kiocb *iocb, str= uct iov_iter *to) { struct file *file =3D iocb->ki_filp; struct socket *sock =3D file->private_data; - struct msghdr msg =3D {.msg_iter =3D *to, - .msg_iocb =3D iocb}; + struct msghdr msg =3D {.msg_iter =3D *to}; ssize_t res; =20 if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT)) @@ -1235,8 +1234,7 @@ static ssize_t sock_write_iter(struct kiocb *iocb, st= ruct iov_iter *from) { struct file *file =3D iocb->ki_filp; struct socket *sock =3D file->private_data; - struct msghdr msg =3D {.msg_iter =3D *from, - .msg_iocb =3D iocb}; + struct msghdr msg =3D {.msg_iter =3D *from}; ssize_t res; =20 if (iocb->ki_pos !=3D 0) @@ -2612,7 +2610,6 @@ int __copy_msghdr(struct msghdr *kmsg, if (msg->msg_iovlen > UIO_MAXIOV) return -EMSGSIZE; =20 - kmsg->msg_iocb =3D NULL; kmsg->msg_ubuf =3D NULL; return 0; } diff --git a/tools/perf/trace/beauty/include/linux/socket.h b/tools/perf/tr= ace/beauty/include/linux/socket.h index ec715ad4bf25f5f759d2cab3c6b796fed84df932..2a0a50fd66f41589f2699f7288a= 143873ce1bba6 100644 --- a/tools/perf/trace/beauty/include/linux/socket.h +++ b/tools/perf/trace/beauty/include/linux/socket.h @@ -89,7 +89,6 @@ struct msghdr { bool msg_get_inq : 1;/* return INQ after receive */ unsigned int msg_flags; /* flags on received message */ __kernel_size_t msg_controllen; /* ancillary data buffer length */ - struct kiocb *msg_iocb; /* ptr to iocb for async requests */ struct ubuf_info *msg_ubuf; int (*sg_from_iter)(struct sk_buff *skb, struct iov_iter *from, size_t length); --=20 2.54.0 From nobody Sun May 24 18:42:23 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C889B2F83A2; Sat, 23 May 2026 19:43:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779565389; cv=none; b=Ek19lvAXk20tiGJxE1ckEWadga5bvAI2LlSRpGXin6UZqoaQddwouJcRfmuXYR7EA/OKln5aOEDGsM1SafLbwfR+9QXyuIZJ8tE2+C1DoQtITc0Z0zifE3hU3L2SUpspuC0elU6uDYz359xAogz7w5IKxw9sM/nS5w0EjxzXWpw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779565389; c=relaxed/simple; bh=4x+kkur+itTL+nDNhRSO2XwvgLTLFONJnU89392Z2Vs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=aLBt6c9CT6uyVUSO2EAd0C9BsBDqJGWLX/1TnDJBL+R43wjZRRDxvueQi3+DQ8NQa0K+3N7pVFNlvvMCCJyZ6ynkXbM/4GCYzzCk02Py7wYW3zGMUsulEijswBlGU0o0CTwT6l8V7AZ99UuHW9QfeFqLMiUiHwUZzzlTsfKgESo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=rJbsgTWu; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="rJbsgTWu" Received: by smtp.kernel.org (Postfix) with ESMTPS id 86A34C4AF09; Sat, 23 May 2026 19:43:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779565389; bh=4x+kkur+itTL+nDNhRSO2XwvgLTLFONJnU89392Z2Vs=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=rJbsgTWuJl+X3OY5erMcPNBSa/w9leRseYmrl6tN4cngzWrEKZpIVOsmTkvM76t9c Eds0RYlp4LU05ENmBSeZPJP348BDz4cOXEqNkVB+lk/bcJGHg0MFVj5ZjKodf3cZmT Kvh8fdd8gbmlluKv6UCMLlbf0qHaXW4AlAXrI9zBTmWkejL497VUNuHuXlRTDVBdk5 o0cULeKnfVS/96+TBXCbS9JL3bBHLtG30uyR+i2JPZMFaDrghQOYUps0WjyQWWqW/v FP5rnWsRp8RJ0af/Cbygi8GlZXvqvZ+n8Y3CX9bpKAlEkhbqsUp6ynEt8btimH1nDN BAwYWpfQwGgOQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 766E9CD5BC7; Sat, 23 May 2026 19:43:09 +0000 (UTC) From: Demi Marie Obenour via B4 Relay Date: Sat, 23 May 2026 15:43:03 -0400 Subject: [PATCH 2/3] AF_ALG: Drop support for off-CPU cryptography Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260523-af-alg-harden-v1-2-c76755c3a5c5@gmail.com> References: <20260523-af-alg-harden-v1-0-c76755c3a5c5@gmail.com> In-Reply-To: <20260523-af-alg-harden-v1-0-c76755c3a5c5@gmail.com> To: Herbert Xu , "David S. Miller" , Eric Dumazet , Kuniyuki Iwashima , Paolo Abeni , Willem de Bruijn , Jens Axboe , Jakub Kicinski , Simon Horman , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Namhyung Kim , Mark Rutland , Alexander Shishkin , Jiri Olsa , Ian Rogers , Adrian Hunter , James Clark , Jonathan Corbet , Shuah Khan , Eric Biggers , Ard Biesheuvel Cc: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, io-uring@vger.kernel.org, netdev@vger.kernel.org, linux-perf-users@vger.kernel.org, linux-doc@vger.kernel.org, Demi Marie Obenour X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779565388; l=6842; i=demiobenour@gmail.com; s=20250731; h=from:subject:message-id; bh=WvOsgYHUhof7lfEUPLefwcNPmpsYzNcw3EP4UmhJBvQ=; b=tOimiiGZzW9nPiZOY/pmr9YuzEsYZH6qY4xlblpCOVSlHm1Vxy18eK4FnE3vInfagtRspluWZ HbAqXq5Uw+4CheXH8HBI0vPX9cDE0K9IUMBEo9fknx5MbHnW7mQmmIe X-Developer-Key: i=demiobenour@gmail.com; a=ed25519; pk=4iGY+ynEKxIfs+fIUK9EzsvZ44yGE0GvXLeLTPKKPhI= X-Endpoint-Received: by B4 Relay for demiobenour@gmail.com/20250731 with auth_id=473 X-Original-From: Demi Marie Obenour Reply-To: demiobenour@gmail.com From: Demi Marie Obenour AF_ALG is deprecated and exposed to unprivileged userspace. Only use the least buggy algorithm implementations: the pure software ones. This removes one of the main advantages of AF_ALG, which is the ability to use it with off-CPU accelerators. However, using off-CPU accelerators has huge overheads, both in performance and attack surface. I have yet to see real-world, performance-critical workloads where using an accelerator via AF_ALG is actually a win over doing cryptography in userspace. If using an off-CPU accelerator really does turn out to be a win, a new API should be developed that is actually a good fit for it. Signed-off-by: Demi Marie Obenour --- Documentation/crypto/userspace-if.rst | 7 ++++++- crypto/af_alg.c | 2 +- crypto/algif_aead.c | 4 ++-- crypto/algif_hash.c | 4 ++-- crypto/algif_rng.c | 4 ++-- crypto/algif_skcipher.c | 4 ++-- include/crypto/if_alg.h | 14 +++++++++++++- 7 files changed, 28 insertions(+), 11 deletions(-) diff --git a/Documentation/crypto/userspace-if.rst b/Documentation/crypto/u= serspace-if.rst index ea1b1b3f4049fd4673528dc2a6234f6376a3489f..b31117d4415dda6ad6ca36275e6= 15bec7df9552e 100644 --- a/Documentation/crypto/userspace-if.rst +++ b/Documentation/crypto/userspace-if.rst @@ -9,7 +9,8 @@ symmetric cipher, AEAD, and RNG algorithms that are impleme= nted in kernel-mode code. =20 AF_ALG is insecure and is deprecated. Originally added to the kernel in 20= 10, -most kernel developers now consider it to be a mistake. +most kernel developers now consider it to be a mistake. Support for hardwa= re +accelerators, which was the original purpose of AF_ALG, has been removed. =20 AF_ALG continues to be supported only for backwards compatibility. On syst= ems where no programs using AF_ALG remain, the support for it should be disabl= ed by @@ -59,6 +60,10 @@ Some of the examples include: - CVE-2013-7421 - CVE-2011-4081 =20 +Hardware accelerator drivers are frequently buggy. To reduce attack surfac= e, +AF_ALG now only provides access to algorithms implemented in software. This +means that AF_ALG no longer fulfills its original purpose. + It is recommended that, whenever possible, userspace programs be migrated = to userspace crypto code (which again, is what is normally used anyway) and ``CONFIG_CRYPTO_USER_API_*`` be disabled. On systems that use SELinux, SE= Linux diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 8ccf7a737cd6ca9a5d5bf47050c9afea0dfd61bf..cce000e8590e469927b5a5a0cec= cfdf0ef54633d 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -181,7 +181,7 @@ static int alg_bind(struct socket *sock, struct sockadd= r_unsized *uaddr, int add if (IS_ERR(type)) return PTR_ERR(type); =20 - private =3D type->bind(sa->salg_name, sa->salg_feat, sa->salg_mask); + private =3D type->bind(sa->salg_name); if (IS_ERR(private)) { module_put(type->owner); return PTR_ERR(private); diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c index 60f06597cb0b13036bc975641a0b02ea8a41ad03..787aac8aeb24eed128f08345ba7= 30478113919b3 100644 --- a/crypto/algif_aead.c +++ b/crypto/algif_aead.c @@ -342,9 +342,9 @@ static struct proto_ops algif_aead_ops_nokey =3D { .poll =3D af_alg_poll, }; =20 -static void *aead_bind(const char *name, u32 type, u32 mask) +static void *aead_bind(const char *name) { - return crypto_alloc_aead(name, type, mask); + return crypto_alloc_aead(name, 0, AF_ALG_CRYPTOAPI_MASK); } =20 static void aead_release(void *private) diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c index 4d3dfc60a16a6d8b677d903d209df18d67202c98..5452ad6c15069c3cb0ff78fe588= 68fe7ce4b0fc3 100644 --- a/crypto/algif_hash.c +++ b/crypto/algif_hash.c @@ -380,9 +380,9 @@ static struct proto_ops algif_hash_ops_nokey =3D { .accept =3D hash_accept_nokey, }; =20 -static void *hash_bind(const char *name, u32 type, u32 mask) +static void *hash_bind(const char *name) { - return crypto_alloc_ahash(name, type, mask); + return crypto_alloc_ahash(name, 0, AF_ALG_CRYPTOAPI_MASK); } =20 static void hash_release(void *private) diff --git a/crypto/algif_rng.c b/crypto/algif_rng.c index a9fb492e929a70c94476f296f5f5e7c42f0313b7..4dfe7899f8fa4ce82d5f2236297= 230fb44bc35d6 100644 --- a/crypto/algif_rng.c +++ b/crypto/algif_rng.c @@ -197,7 +197,7 @@ static struct proto_ops __maybe_unused algif_rng_test_o= ps =3D { .sendmsg =3D rng_test_sendmsg, }; =20 -static void *rng_bind(const char *name, u32 type, u32 mask) +static void *rng_bind(const char *name) { struct rng_parent_ctx *pctx; struct crypto_rng *rng; @@ -206,7 +206,7 @@ static void *rng_bind(const char *name, u32 type, u32 m= ask) if (!pctx) return ERR_PTR(-ENOMEM); =20 - rng =3D crypto_alloc_rng(name, type, mask); + rng =3D crypto_alloc_rng(name, 0, AF_ALG_CRYPTOAPI_MASK); if (IS_ERR(rng)) { kfree(pctx); return ERR_CAST(rng); diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index 9dbccabd87b13920c27aff5a450a235cc6a27d59..df20bdfe1f1f4e453782dee3b74= 3dd1939ab4c6c 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -307,9 +307,9 @@ static struct proto_ops algif_skcipher_ops_nokey =3D { .poll =3D af_alg_poll, }; =20 -static void *skcipher_bind(const char *name, u32 type, u32 mask) +static void *skcipher_bind(const char *name) { - return crypto_alloc_skcipher(name, type, mask); + return crypto_alloc_skcipher(name, 0, AF_ALG_CRYPTOAPI_MASK); } =20 static void skcipher_release(void *private) diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index 62867daca47d76c9ea1a7ed233188788c5f6c3c0..7643ba954125aba0c06aaf19de0= 87985325885ad 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -41,7 +41,7 @@ struct af_alg_control { }; =20 struct af_alg_type { - void *(*bind)(const char *name, u32 type, u32 mask); + void *(*bind)(const char *name); void (*release)(void *private); int (*setkey)(void *private, const u8 *key, unsigned int keylen); int (*setentropy)(void *private, sockptr_t entropy, unsigned int len); @@ -243,4 +243,16 @@ int af_alg_get_rsgl(struct sock *sk, struct msghdr *ms= g, int flags, struct af_alg_async_req *areq, size_t maxsize, size_t *outlen); =20 +/* + * Mask used to disable unsupported algorithm implementations. + * + * This is the same as FSCRYPT_CRYPTOAPI_MASK in fs/crypto/fscrypt_private= .h. + * In additions to the motivations there, this API is exposed to userspace + * that might not be fully trusted. + */ +#define AF_ALG_CRYPTOAPI_MASK \ + (CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY | \ + CRYPTO_ALG_KERN_DRIVER_ONLY) + + #endif /* _CRYPTO_IF_ALG_H */ --=20 2.54.0 From nobody Sun May 24 18:42:23 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C879D269CE6; Sat, 23 May 2026 19:43:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779565389; cv=none; b=LNXWOv+2nIb0bbyTO3hkmwjN75vxnIeno42/2NwF5kcSIQO1lioYelZx7dafcuSdgVqHhKgfNY74A/yF+1Eg/4ri0NmNzUui1218q89V2uTutScboiiOkdVzuI1Rp82hsYqumXCPjdCMxzBn923CIJp8nR0Vj2hvDMxMglKuYfI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779565389; c=relaxed/simple; bh=OzRx4Jea/gQowRgqur1LzxDMUuIgE+6OcV41//cfvS0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=GF7eyF4KHev8Jh/H8pn2trWcA05mA/B8/oLM5T2g/KeIhr1s9w/xIc52rslRv31CQIBj8w8ny13ufJg21QDlDkV0oO0MpfCzoVnliTEuMEtmOXcFAJk0TCyRVc3i+3J3zvrrvhYzvydwTo10QCTkwxg+KzCYjxtdIvO4t7a2rP8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=knl2A0RY; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="knl2A0RY" Received: by smtp.kernel.org (Postfix) with ESMTPS id 90CD5C2BCF5; Sat, 23 May 2026 19:43:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779565389; bh=OzRx4Jea/gQowRgqur1LzxDMUuIgE+6OcV41//cfvS0=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=knl2A0RYLu6aIFzU87tH3SBjrcf/u7kNd4FpOXmXiV3CP6UPAMrjie9ToMOyUVABc 6Zp3WIo3C1rmkisFUl9G4PQIvA2qrvIOfjDetWjGr5jMYALEwEY2vZxrWyhh0kGN+5 XFVllvQeLK/B7h1hTWLC+eYRJiwLQZG/0LSzv7c5jxYCnwwZDl9zEjcdchJyFWHNEh sZu5huo7RIlEPyFpD1qaj+hbo0Aiwyx3gAGy4d9BBq2yVm4WoVxsg1H38HHRD8elhF qMOzFbZmPkDlkE31JOGdUhC1vepCKl4iSFTaPGhi6OnD2nUrkIXHrEZfE+lZ8rdpXb U5jVdMt9Yk46A== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 85334CD5BB8; Sat, 23 May 2026 19:43:09 +0000 (UTC) From: Demi Marie Obenour via B4 Relay Date: Sat, 23 May 2026 15:43:04 -0400 Subject: [PATCH 3/3] AF_ALG: Document that it is *always* slower Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260523-af-alg-harden-v1-3-c76755c3a5c5@gmail.com> References: <20260523-af-alg-harden-v1-0-c76755c3a5c5@gmail.com> In-Reply-To: <20260523-af-alg-harden-v1-0-c76755c3a5c5@gmail.com> To: Herbert Xu , "David S. Miller" , Eric Dumazet , Kuniyuki Iwashima , Paolo Abeni , Willem de Bruijn , Jens Axboe , Jakub Kicinski , Simon Horman , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Namhyung Kim , Mark Rutland , Alexander Shishkin , Jiri Olsa , Ian Rogers , Adrian Hunter , James Clark , Jonathan Corbet , Shuah Khan , Eric Biggers , Ard Biesheuvel Cc: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, io-uring@vger.kernel.org, netdev@vger.kernel.org, linux-perf-users@vger.kernel.org, linux-doc@vger.kernel.org, Demi Marie Obenour X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779565388; l=2773; i=demiobenour@gmail.com; s=20250731; h=from:subject:message-id; bh=cCZclUN91iyFrsr3PZ6oslmjWDYG7uvJ1BorPBKSILk=; b=tMvuqZQCtqZsAaMqHEV39cBc/++4hmxFbFBMdRmtHQtjclb/Ws8rPWSMTsw9+kwtC7mX2BxyO lWvyv8MjokkBQ9W7YuISmmpzpSoOKpUxcuzWE1mfMgEZmwyHZtvfm6N X-Developer-Key: i=demiobenour@gmail.com; a=ed25519; pk=4iGY+ynEKxIfs+fIUK9EzsvZ44yGE0GvXLeLTPKKPhI= X-Endpoint-Received: by B4 Relay for demiobenour@gmail.com/20250731 with auth_id=473 X-Original-From: Demi Marie Obenour Reply-To: demiobenour@gmail.com From: Demi Marie Obenour Without support for zero-copy or off-CPU offloads, AF_ALG is always slower than software cryptography. Its only advantage is that it might save code size. However, this is largely mitigated by lightweight userspace cryptographic libraries. Signed-off-by: Demi Marie Obenour --- Documentation/crypto/userspace-if.rst | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/Documentation/crypto/userspace-if.rst b/Documentation/crypto/u= serspace-if.rst index b31117d4415dda6ad6ca36275e615bec7df9552e..ab93300c8e04524469f284704c7= c5ed582fdcbc0 100644 --- a/Documentation/crypto/userspace-if.rst +++ b/Documentation/crypto/userspace-if.rst @@ -28,8 +28,8 @@ functionality than that. It actually provides access to a= ll software algorithms. =20 This includes arbitrary compositions of different algorithms created via a complex template system, as well as algorithms that only make sense as int= ernal -implementation details of other algorithms. It also includes full zero-copy -support, which is difficult for the kernel to implement securely. +implementation details of other algorithms. In the past, it also included = full +zero-copy support, which was difficult for the kernel to implement securel= y. =20 Ultimately, these algorithms are just math computations. They use the same instructions that userspace programs already have access to, just accessed= in a @@ -38,6 +38,21 @@ much more convoluted and less efficient way. Indeed, userspace code is nearly always what is being used anyway. These s= ame algorithms are widely implemented in userspace crypto libraries. =20 +Even when zero-copy and off-CPU accelerators were supported, AF_ALG was us= ually +much slower than optimized software cryptography in userspace. This was +especially true for the small message sizes usually seen in performance-cr= itical +workloads. While it was possible to demonstrate performance wins for hashi= ng +large files on embedded devices, it is hard to imagine a situation where t= his +would be performance-critical. + +Nowadays, AF_ALG no longer supports zero-copy or off-CPU accelerators. +Therefore, it is *always* slower than an optimized userspace implementatio= n, +even for large messages. The only possible advantage left is that it avoids +duplicating code between kernel and userspace. However, userspace +implementations, especially hardware-accelerated ones, do not need to be l= arge. +Just because OpenSSL is huge does not mean that all userspace cryptography +libraries are. + Meanwhile, AF_ALG hasn't been withstanding modern vulnerability discovery = tools such as syzbot and large language models. It receives a steady stream of C= VEs. Some of the examples include: --=20 2.54.0