Revision 472e5b056f000a778abb41f1e443de58eb259783 authored by Linus Torvalds on 02 October 2020, 02:14:36 UTC, committed by Linus Torvalds on 02 October 2020, 02:14:36 UTC
The pipe splice code still used the old model of waiting for pipe IO by
using a non-specific "pipe_wait()" that waited for any pipe event to
happen, which depended on all pipe IO being entirely serialized by the
pipe lock. So by checking the state you were waiting for, and then
adding yourself to the wait queue before dropping the lock, you were
guaranteed to see all the wakeups.
Strictly speaking, the actual wakeups were not done under the lock, but
the pipe_wait() model still worked, because since the waiter held the
lock when checking whether it should sleep, it would always see the
current state, and the wakeup was always done after updating the state.
However, commit 0ddad21d3e99 ("pipe: use exclusive waits when reading or
writing") split the single wait-queue into two, and in the process also
made the "wait for event" code wait for _two_ wait queues, and that then
showed a race with the wakers that were not serialized by the pipe lock.
It's only splice that used that "pipe_wait()" model, so the problem
wasn't obvious, but Josef Bacik reports:
"I hit a hang with fstest btrfs/187, which does a btrfs send into
/dev/null. This works by creating a pipe, the write side is given to
the kernel to write into, and the read side is handed to a thread that
splices into a file, in this case /dev/null.
The box that was hung had the write side stuck here [pipe_write] and
the read side stuck here [splice_from_pipe_next -> pipe_wait].
[ more details about pipe_wait() scenario ]
The problem is we're doing the prepare_to_wait, which sets our state
each time, however we can be woken up either with reads or writes. In
the case above we race with the WRITER waking us up, and re-set our
state to INTERRUPTIBLE, and thus never break out of schedule"
Josef had a patch that avoided the issue in pipe_wait() by just making
it set the state only once, but the deeper problem is that pipe_wait()
depends on a level of synchonization by the pipe mutex that it really
shouldn't. And the whole "wait for any pipe state change" model really
isn't very good to begin with.
So rather than trying to work around things in pipe_wait(), remove that
legacy model of "wait for arbitrary pipe event" entirely, and actually
create functions that wait for the pipe actually being readable or
writable, and can do so without depending on the pipe lock serializing
everything.
Fixes: 0ddad21d3e99 ("pipe: use exclusive waits when reading or writing")
Link: https://lore.kernel.org/linux-fsdevel/bfa88b5ad6f069b2b679316b9e495a970130416c.1601567868.git.josef@toxicpanda.com/
Reported-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-and-tested-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 44b6e23
ecrdsa.c
// SPDX-License-Identifier: GPL-2.0+
/*
* Elliptic Curve (Russian) Digital Signature Algorithm for Cryptographic API
*
* Copyright (c) 2019 Vitaly Chikunov <vt@altlinux.org>
*
* References:
* GOST 34.10-2018, GOST R 34.10-2012, RFC 7091, ISO/IEC 14888-3:2018.
*
* Historical references:
* GOST R 34.10-2001, RFC 4357, ISO/IEC 14888-3:2006/Amd 1:2010.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation; either version 2 of the License, or (at your option)
* any later version.
*/
#include <linux/module.h>
#include <linux/crypto.h>
#include <crypto/streebog.h>
#include <crypto/internal/akcipher.h>
#include <crypto/akcipher.h>
#include <linux/oid_registry.h>
#include "ecrdsa_params.asn1.h"
#include "ecrdsa_pub_key.asn1.h"
#include "ecc.h"
#include "ecrdsa_defs.h"
#define ECRDSA_MAX_SIG_SIZE (2 * 512 / 8)
#define ECRDSA_MAX_DIGITS (512 / 64)
struct ecrdsa_ctx {
enum OID algo_oid; /* overall public key oid */
enum OID curve_oid; /* parameter */
enum OID digest_oid; /* parameter */
const struct ecc_curve *curve; /* curve from oid */
unsigned int digest_len; /* parameter (bytes) */
const char *digest; /* digest name from oid */
unsigned int key_len; /* @key length (bytes) */
const char *key; /* raw public key */
struct ecc_point pub_key;
u64 _pubp[2][ECRDSA_MAX_DIGITS]; /* point storage for @pub_key */
};
static const struct ecc_curve *get_curve_by_oid(enum OID oid)
{
switch (oid) {
case OID_gostCPSignA:
case OID_gostTC26Sign256B:
return &gost_cp256a;
case OID_gostCPSignB:
case OID_gostTC26Sign256C:
return &gost_cp256b;
case OID_gostCPSignC:
case OID_gostTC26Sign256D:
return &gost_cp256c;
case OID_gostTC26Sign512A:
return &gost_tc512a;
case OID_gostTC26Sign512B:
return &gost_tc512b;
/* The following two aren't implemented: */
case OID_gostTC26Sign256A:
case OID_gostTC26Sign512C:
default:
return NULL;
}
}
static int ecrdsa_verify(struct akcipher_request *req)
{
struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
struct ecrdsa_ctx *ctx = akcipher_tfm_ctx(tfm);
unsigned char sig[ECRDSA_MAX_SIG_SIZE];
unsigned char digest[STREEBOG512_DIGEST_SIZE];
unsigned int ndigits = req->dst_len / sizeof(u64);
u64 r[ECRDSA_MAX_DIGITS]; /* witness (r) */
u64 _r[ECRDSA_MAX_DIGITS]; /* -r */
u64 s[ECRDSA_MAX_DIGITS]; /* second part of sig (s) */
u64 e[ECRDSA_MAX_DIGITS]; /* h \mod q */
u64 *v = e; /* e^{-1} \mod q */
u64 z1[ECRDSA_MAX_DIGITS];
u64 *z2 = _r;
struct ecc_point cc = ECC_POINT_INIT(s, e, ndigits); /* reuse s, e */
/*
* Digest value, digest algorithm, and curve (modulus) should have the
* same length (256 or 512 bits), public key and signature should be
* twice bigger.
*/
if (!ctx->curve ||
!ctx->digest ||
!req->src ||
!ctx->pub_key.x ||
req->dst_len != ctx->digest_len ||
req->dst_len != ctx->curve->g.ndigits * sizeof(u64) ||
ctx->pub_key.ndigits != ctx->curve->g.ndigits ||
req->dst_len * 2 != req->src_len ||
WARN_ON(req->src_len > sizeof(sig)) ||
WARN_ON(req->dst_len > sizeof(digest)))
return -EBADMSG;
sg_copy_to_buffer(req->src, sg_nents_for_len(req->src, req->src_len),
sig, req->src_len);
sg_pcopy_to_buffer(req->src,
sg_nents_for_len(req->src,
req->src_len + req->dst_len),
digest, req->dst_len, req->src_len);
vli_from_be64(s, sig, ndigits);
vli_from_be64(r, sig + ndigits * sizeof(u64), ndigits);
/* Step 1: verify that 0 < r < q, 0 < s < q */
if (vli_is_zero(r, ndigits) ||
vli_cmp(r, ctx->curve->n, ndigits) == 1 ||
vli_is_zero(s, ndigits) ||
vli_cmp(s, ctx->curve->n, ndigits) == 1)
return -EKEYREJECTED;
/* Step 2: calculate hash (h) of the message (passed as input) */
/* Step 3: calculate e = h \mod q */
vli_from_le64(e, digest, ndigits);
if (vli_cmp(e, ctx->curve->n, ndigits) == 1)
vli_sub(e, e, ctx->curve->n, ndigits);
if (vli_is_zero(e, ndigits))
e[0] = 1;
/* Step 4: calculate v = e^{-1} \mod q */
vli_mod_inv(v, e, ctx->curve->n, ndigits);
/* Step 5: calculate z_1 = sv \mod q, z_2 = -rv \mod q */
vli_mod_mult_slow(z1, s, v, ctx->curve->n, ndigits);
vli_sub(_r, ctx->curve->n, r, ndigits);
vli_mod_mult_slow(z2, _r, v, ctx->curve->n, ndigits);
/* Step 6: calculate point C = z_1P + z_2Q, and R = x_c \mod q */
ecc_point_mult_shamir(&cc, z1, &ctx->curve->g, z2, &ctx->pub_key,
ctx->curve);
if (vli_cmp(cc.x, ctx->curve->n, ndigits) == 1)
vli_sub(cc.x, cc.x, ctx->curve->n, ndigits);
/* Step 7: if R == r signature is valid */
if (!vli_cmp(cc.x, r, ndigits))
return 0;
else
return -EKEYREJECTED;
}
int ecrdsa_param_curve(void *context, size_t hdrlen, unsigned char tag,
const void *value, size_t vlen)
{
struct ecrdsa_ctx *ctx = context;
ctx->curve_oid = look_up_OID(value, vlen);
if (!ctx->curve_oid)
return -EINVAL;
ctx->curve = get_curve_by_oid(ctx->curve_oid);
return 0;
}
/* Optional. If present should match expected digest algo OID. */
int ecrdsa_param_digest(void *context, size_t hdrlen, unsigned char tag,
const void *value, size_t vlen)
{
struct ecrdsa_ctx *ctx = context;
int digest_oid = look_up_OID(value, vlen);
if (digest_oid != ctx->digest_oid)
return -EINVAL;
return 0;
}
int ecrdsa_parse_pub_key(void *context, size_t hdrlen, unsigned char tag,
const void *value, size_t vlen)
{
struct ecrdsa_ctx *ctx = context;
ctx->key = value;
ctx->key_len = vlen;
return 0;
}
static u8 *ecrdsa_unpack_u32(u32 *dst, void *src)
{
memcpy(dst, src, sizeof(u32));
return src + sizeof(u32);
}
/* Parse BER encoded subjectPublicKey. */
static int ecrdsa_set_pub_key(struct crypto_akcipher *tfm, const void *key,
unsigned int keylen)
{
struct ecrdsa_ctx *ctx = akcipher_tfm_ctx(tfm);
unsigned int ndigits;
u32 algo, paramlen;
u8 *params;
int err;
err = asn1_ber_decoder(&ecrdsa_pub_key_decoder, ctx, key, keylen);
if (err < 0)
return err;
/* Key parameters is in the key after keylen. */
params = ecrdsa_unpack_u32(¶mlen,
ecrdsa_unpack_u32(&algo, (u8 *)key + keylen));
if (algo == OID_gost2012PKey256) {
ctx->digest = "streebog256";
ctx->digest_oid = OID_gost2012Digest256;
ctx->digest_len = 256 / 8;
} else if (algo == OID_gost2012PKey512) {
ctx->digest = "streebog512";
ctx->digest_oid = OID_gost2012Digest512;
ctx->digest_len = 512 / 8;
} else
return -ENOPKG;
ctx->algo_oid = algo;
/* Parse SubjectPublicKeyInfo.AlgorithmIdentifier.parameters. */
err = asn1_ber_decoder(&ecrdsa_params_decoder, ctx, params, paramlen);
if (err < 0)
return err;
/*
* Sizes of algo (set in digest_len) and curve should match
* each other.
*/
if (!ctx->curve ||
ctx->curve->g.ndigits * sizeof(u64) != ctx->digest_len)
return -ENOPKG;
/*
* Key is two 256- or 512-bit coordinates which should match
* curve size.
*/
if ((ctx->key_len != (2 * 256 / 8) &&
ctx->key_len != (2 * 512 / 8)) ||
ctx->key_len != ctx->curve->g.ndigits * sizeof(u64) * 2)
return -ENOPKG;
ndigits = ctx->key_len / sizeof(u64) / 2;
ctx->pub_key = ECC_POINT_INIT(ctx->_pubp[0], ctx->_pubp[1], ndigits);
vli_from_le64(ctx->pub_key.x, ctx->key, ndigits);
vli_from_le64(ctx->pub_key.y, ctx->key + ndigits * sizeof(u64),
ndigits);
if (ecc_is_pubkey_valid_partial(ctx->curve, &ctx->pub_key))
return -EKEYREJECTED;
return 0;
}
static unsigned int ecrdsa_max_size(struct crypto_akcipher *tfm)
{
struct ecrdsa_ctx *ctx = akcipher_tfm_ctx(tfm);
/*
* Verify doesn't need any output, so it's just informational
* for keyctl to determine the key bit size.
*/
return ctx->pub_key.ndigits * sizeof(u64);
}
static void ecrdsa_exit_tfm(struct crypto_akcipher *tfm)
{
}
static struct akcipher_alg ecrdsa_alg = {
.verify = ecrdsa_verify,
.set_pub_key = ecrdsa_set_pub_key,
.max_size = ecrdsa_max_size,
.exit = ecrdsa_exit_tfm,
.base = {
.cra_name = "ecrdsa",
.cra_driver_name = "ecrdsa-generic",
.cra_priority = 100,
.cra_module = THIS_MODULE,
.cra_ctxsize = sizeof(struct ecrdsa_ctx),
},
};
static int __init ecrdsa_mod_init(void)
{
return crypto_register_akcipher(&ecrdsa_alg);
}
static void __exit ecrdsa_mod_fini(void)
{
crypto_unregister_akcipher(&ecrdsa_alg);
}
module_init(ecrdsa_mod_init);
module_exit(ecrdsa_mod_fini);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Vitaly Chikunov <vt@altlinux.org>");
MODULE_DESCRIPTION("EC-RDSA generic algorithm");
MODULE_ALIAS_CRYPTO("ecrdsa-generic");
Computing file changes ...
