From nobody Mon Jun 8 05:24:53 2026 Received: from mail-qk1-f177.google.com (mail-qk1-f177.google.com [209.85.222.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 857D63612F6 for ; Mon, 1 Jun 2026 19:29:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780342173; cv=none; b=KKtsLk+mg39qB9fikAGh61bMQlCi9+vtd15u/xON76Us0IHsVPx1Mjl1Ljr+HGNxjFjvncNmDHVP4Ad+DnNrrOu2w51NhryjdFjOybVeeRL5IYfgto9VE/Kl6MKguv6suzqsb4x9exblwUM20f6Yu3WWwCf8gwK33P3EBuAcNOs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780342173; c=relaxed/simple; bh=svjmAHPOo637dqrXsepIyWpJZfmSdpIwDwayLAfPTNc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZVZH8lSyPQJczRz/FheN7EoCgF/l2Ss2jWXEV7Z3RWadRGZ7g+aAAk9/Ky0s2FNQ0m2nGgALmrP1vgG5BJ/BXXh+zX0WlxfVPe1DurH+Ruf/UE7hhHCCJq1B0EngTzoZSDadGh+narY7cLKxYvCU9uufmLFWFmLo1wtL/V9yWy4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=InTctHNj; arc=none smtp.client-ip=209.85.222.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="InTctHNj" Received: by mail-qk1-f177.google.com with SMTP id af79cd13be357-914bfa75911so1125154585a.1 for ; Mon, 01 Jun 2026 12:29:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780342171; x=1780946971; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lgKM7SFpYHVInuovDxALO/eeMfBo+t817eXB2nW30Kk=; b=InTctHNjNVlM8JRogMx3rDRhmN8sxEUWPzZ1U5M7eYGWw9mRSPO25K2HVQLeGDeu59 faWFPwOYZ8cP8R/uXKxPMC2LlR5Dfv5TOHV7YnXYrV7OFZyJyv9pifnw0fTiYYGYk1IY H4cJceJVSUCBZsy7n/i3sco+JBGJEG+J+lKs3F60FunlcYNp6H9BqHvVt9lcc7pwmMM9 LHu7/Byq2qeVojd45i99g3fibCYSDUKp4F4pg8OE1M6m2SKVU/ywsT1pLY3LfFHOuhIu SeNrVwNNoMk9QLBDjiBqXanI/TT0MNyg4mfuRJWPUQbSjNwMXiSSeKUln8ew+7Wpupyq JYJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780342171; x=1780946971; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=lgKM7SFpYHVInuovDxALO/eeMfBo+t817eXB2nW30Kk=; b=iCP6fCurCPDpuabZwntzUTjsePfpAXik5ABrv7JGWjxanjyHh+p0RX3R+3/QOLTqtF gEXwI2EwKcSAXNiJQcUd3YI/kNPyZofagO0q3iamCa17N7Ic3bucwFESoUmuZqBfGK2j QgWgrfcbg3l2yxruscWe+WKGbgNqc3sZYDlGr3J7YCzdiRBKnDr/D9jscGLOdKFveSeS N+WfQZZyYcp7BgMe/+4t3ZorOrlzj/YTEUQ4eLr1D9iQCN8QUmFh7+RdOvmrHcKm9nWm lma3Qz1xetphhylJM+1ADByinW6Bb/g13xV1+ImkZk7c/MKw0H3C2JJqIXRKPuRbcsbA oHPw== X-Gm-Message-State: AOJu0YzDg/M7JI0+4tLKfDj6K87V85yGZmeVD8v7W7GyDYLPXUYZyTEI emPPVt9xqE+RRSqcADwyESkNX/wljk+5cpOPS1aQTQIBKXl/WOzIUz4e X-Gm-Gg: Acq92OHNvDkxaxgdgvxTxkRAuXQssqlZwhttUoLgNpBJ/51ZfLHikp7MmAYGmyycYZ8 C07apg+/s0fYyosd+5o5u5qrQqnanb2phZGjB6ONM6mUIBiJrExxEoR2oYNRVjHGCJ003x74Ct0 yv8I3oWl2D0XqKMTHM1kny67GQI/3TIs2+yWUamj5w7z8wxGEOhgM1B7p9o3qjPh1351vxsZn6n FhHcw7NBMb5v90s4iLxpCbNwOi2ARGZPuMSABUVHjY9DLFKbL4MYwBv0VWpOYj2ZckKE+h0LrAn lp4A13u/FCvBzcZv3uHPejAh/P5sk/+WqxZxzFDenxbPp/Vu9BLP6jAdnQl9HN1xJvocrx1wgRB 2Xp6PFX41gRRY2ecYkcF6jP/XAfYjwNdSxTsUxCFTUyOpDuux4w+66xGlzhrmEruZspk4DrMl9z m/U4giDtyaKmsM1jXiwAix4bw2Au2w2tvXv/D6BUuDRGcll8wj4UovBrvAUXpuf7zE3FZF63epL 4E6fRS4a/dsY+XJYRXlVxslgATyKHTMbunGsQvFADd3/j8V9itWH6vaP8whcIMHN2fbsuCqMKnI cCbKAqcmGxWmQGr93ARtyaNGtijSwWucWgs2Dw== X-Received: by 2002:a05:620a:25c8:b0:913:e5bb:3db0 with SMTP id af79cd13be357-91577ebf04emr141478985a.18.1780342171489; Mon, 01 Jun 2026 12:29:31 -0700 (PDT) Received: from maxbox.tailad2ea6.ts.net ([2603:6081:16f0:a980::18f1]) by smtp.gmail.com with ESMTPSA id af79cd13be357-915790a787bsm25035085a.29.2026.06.01.12.29.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Jun 2026 12:29:31 -0700 (PDT) From: Max Clinton To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, herbert@gondor.apana.org.au, gregkh@linuxfoundation.org, davem@davemloft.net, security@kernel.org, stable@kernel.org, Max Clinton Subject: [PATCH v2] crypto: algif_skcipher - snapshot IV for async skcipher requests Date: Mon, 1 Jun 2026 15:29:27 -0400 Message-ID: <20260601192927.1095129-1-maxtclinton@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260518233538.705966-2-maxtclinton@gmail.com> References: <20260518233538.705966-2-maxtclinton@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" AF_ALG skcipher AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the original request has fully completed, which can lead to inconsistent IV handling. Snapshot the IV into per-request storage when preparing the skcipher request, so in-flight operations no longer depend on mutable socket state. This mirrors the algif_aead fix from commit 5aa58c3a572b ("crypto: algif_aead - snapshot IV for async AEAD requests"), which addressed the same shape of bug in the AEAD sibling subsystem. Tested on Debian Trixie 6.12.74+deb13+1-amd64 (unpatched) and on v6.12.86 + this patch via virtme-ng on the same host. Reproducer results: 10-14% race rate over 50000 iterations on the unpatched kernel against cryptd(cbc(aes-generic)); 0 races at 50000 and 200000 iterations on the patched kernel; 0 races at 200000 iterations on the unpatched kernel with the synchronous cbc(aes-generic) driver as a control case (confirming the race is gated on the async dispatch path). Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management") Cc: stable@kernel.org Suggested-by: Herbert Xu Signed-off-by: Max Clinton --- Changes since v1: - Drop unneeded include (Herbert). - Rewrite iv pointer computation as (areq + 1) + reqsize per Herbert's suggestion. crypto/algif_skcipher.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index ba0a17fd9..5b5bc1204 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -103,9 +103,11 @@ static int _skcipher_recvmsg(struct socket *sock, stru= ct msghdr *msg, struct af_alg_ctx *ctx =3D ask->private; struct crypto_skcipher *tfm =3D pask->private; unsigned int bs =3D crypto_skcipher_chunksize(tfm); + unsigned int ivsize =3D crypto_skcipher_ivsize(tfm); struct af_alg_async_req *areq; unsigned cflags =3D 0; int err =3D 0; + void *iv; size_t len =3D 0; =20 if (!ctx->init || (ctx->more && ctx->used < bs)) { @@ -116,10 +118,13 @@ static int _skcipher_recvmsg(struct socket *sock, str= uct msghdr *msg, =20 /* Allocate cipher request for current operation. */ areq =3D af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) + - crypto_skcipher_reqsize(tfm)); + crypto_skcipher_reqsize(tfm) + ivsize); if (IS_ERR(areq)) return PTR_ERR(areq); =20 + iv =3D (u8 *)(areq + 1) + crypto_skcipher_reqsize(tfm); + memcpy(iv, ctx->iv, ivsize); + /* convert iovecs of output buffers into RX SGL */ err =3D af_alg_get_rsgl(sk, msg, flags, areq, ctx->used, &len); if (err) @@ -159,7 +164,7 @@ static int _skcipher_recvmsg(struct socket *sock, struc= t msghdr *msg, /* Initialize the crypto operation */ skcipher_request_set_tfm(&areq->cra_u.skcipher_req, tfm); skcipher_request_set_crypt(&areq->cra_u.skcipher_req, areq->tsgl, - areq->first_rsgl.sgl.sgt.sgl, len, ctx->iv); + areq->first_rsgl.sgl.sgt.sgl, len, iv); =20 if (ctx->state) { err =3D crypto_skcipher_import(&areq->cra_u.skcipher_req, --=20 2.47.3