On Tue, 23 Sep 2025, Mikulas Patocka wrote:
>
>
> On Tue, 23 Sep 2025, Herbert Xu wrote:
>
> > If authenc gets EBUSY from the ahash, then the ahash is responsible
> > for sending an EINPROGRESS notification. I just checked the authenc
> > code and it does pass the notification back up to the caller (which
> > is dm-crypt).
> >
> > So if EINPROGRESS is not being received, then it's a bug in the
> > ahash layer or the underlying ahash algorithm.
>
> static void authenc_request_complete(struct aead_request *req, int err)
> {
> if (err != -EINPROGRESS)
> aead_request_complete(req, err);
> }
>
> This prevents -EINPROGRESS from reaching dm-crypt. If I remove the
> condition "err != -EINPROGRESS", the deadlock goes away. Though, removing
> it may break other things - we may send -EINPROGRESS twice, first for the
> hash and then for the decryption.
>
> > Which phmac implementation was this?
>
> It was pseudo_phmac out-of-tree module sent by Harald Freudenberger. He
> CC'd you, so you should have it as an attachment in your inbox.
>
> The following scripts creates the buggy device mapper device:
>
> #!/bin/sh -ex
> sync
> modprobe crypto_engine
> insmod ~/c/phmac/pseudo_phmac/phmac.ko
> modprobe brd rd_size=1048576
> dmsetup create cr_dif --table '0 2031880 integrity 1:0 32768 32 J 7
> block_size:4096 interleave_sectors:32768 buffer_sectors:128
> journal_sectors:16368 journal_watermark:50 commit_time:10000 fix_padding'
> dmsetup create cr --table '0 2031880 crypt
> capi:authenc(phmac(sha256),xts(aes))-plain64
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> 0 252:0 0 2 integrity:32:aead sector_size:4096'
> dd if=/dev/zero of=/dev/mapper/cr bs=1M oflag=direct status=progress
>
> > Cheers,
>
> Mikulas
What do you think about this patch? Do you think that it is the right
direction to fix it?
Mikulas
From: Mikulas Patocka <[email protected]>
The function authenc_request_complete ignores -EINPROGRESS. This causes
deadlock in dm-crypt when using it with authenticated encryption with an
asynchronous hash implementation.
This patch makes it pass -EINPROGRESS to the caller. Note that we don't
want to report -EINPROGRESS twice (one for the hash and the second one
for the cipher), so we set a flag and report -EINPROGRESS just once.
Signed-off-by: Mikulas Patocka <[email protected]>
---
crypto/authenc.c | 11 +++++++++--
include/linux/crypto.h | 1 +
2 files changed, 10 insertions(+), 2 deletions(-)
Index: linux-2.6/crypto/authenc.c
===================================================================
--- linux-2.6.orig/crypto/authenc.c 2025-09-23 16:15:42.000000000 +0200
+++ linux-2.6/crypto/authenc.c 2025-09-23 16:32:57.000000000 +0200
@@ -37,8 +37,15 @@ struct authenc_request_ctx {
static void authenc_request_complete(struct aead_request *req, int err)
{
- if (err != -EINPROGRESS)
- aead_request_complete(req, err);
+ if (unlikely(err == -EINPROGRESS)) {
+ req->base.flags |= CRYPTO_TFM_REQ_REPORT_EINPROGRESS;
+ return;
+ }
+ if (unlikely(req->base.flags & CRYPTO_TFM_REQ_REPORT_EINPROGRESS)) {
+ aead_request_complete(req, -EINPROGRESS);
+ req->base.flags &=~ CRYPTO_TFM_REQ_REPORT_EINPROGRESS;
+ }
+ aead_request_complete(req, err);
}
int crypto_authenc_extractkeys(struct crypto_authenc_keys *keys, const u8 *key,
Index: linux-2.6/include/linux/crypto.h
===================================================================
--- linux-2.6.orig/include/linux/crypto.h 2025-08-15 17:28:24.000000000
+0200
+++ linux-2.6/include/linux/crypto.h 2025-09-23 16:17:05.000000000 +0200
@@ -151,6 +151,7 @@
#define CRYPTO_TFM_REQ_MAY_SLEEP 0x00000200
#define CRYPTO_TFM_REQ_MAY_BACKLOG 0x00000400
#define CRYPTO_TFM_REQ_ON_STACK 0x00000800
+#define CRYPTO_TFM_REQ_REPORT_EINPROGRESS 0x00100000
/*
* Miscellaneous stuff.
