xref: /openbmc/linux/drivers/md/dm-crypt.c (revision 11788d9b)
1 /*
2  * Copyright (C) 2003 Jana Saout <jana@saout.de>
3  * Copyright (C) 2004 Clemens Fruhwirth <clemens@endorphin.org>
4  * Copyright (C) 2006-2020 Red Hat, Inc. All rights reserved.
5  * Copyright (C) 2013-2020 Milan Broz <gmazyland@gmail.com>
6  *
7  * This file is released under the GPL.
8  */
9 
10 #include <linux/completion.h>
11 #include <linux/err.h>
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/kernel.h>
15 #include <linux/key.h>
16 #include <linux/bio.h>
17 #include <linux/blkdev.h>
18 #include <linux/mempool.h>
19 #include <linux/slab.h>
20 #include <linux/crypto.h>
21 #include <linux/workqueue.h>
22 #include <linux/kthread.h>
23 #include <linux/backing-dev.h>
24 #include <linux/atomic.h>
25 #include <linux/scatterlist.h>
26 #include <linux/rbtree.h>
27 #include <linux/ctype.h>
28 #include <asm/page.h>
29 #include <asm/unaligned.h>
30 #include <crypto/hash.h>
31 #include <crypto/md5.h>
32 #include <crypto/algapi.h>
33 #include <crypto/skcipher.h>
34 #include <crypto/aead.h>
35 #include <crypto/authenc.h>
36 #include <linux/rtnetlink.h> /* for struct rtattr and RTA macros only */
37 #include <linux/key-type.h>
38 #include <keys/user-type.h>
39 #include <keys/encrypted-type.h>
40 
41 #include <linux/device-mapper.h>
42 
43 #define DM_MSG_PREFIX "crypt"
44 
45 /*
46  * context holding the current state of a multi-part conversion
47  */
48 struct convert_context {
49 	struct completion restart;
50 	struct bio *bio_in;
51 	struct bio *bio_out;
52 	struct bvec_iter iter_in;
53 	struct bvec_iter iter_out;
54 	u64 cc_sector;
55 	atomic_t cc_pending;
56 	union {
57 		struct skcipher_request *req;
58 		struct aead_request *req_aead;
59 	} r;
60 
61 };
62 
63 /*
64  * per bio private data
65  */
66 struct dm_crypt_io {
67 	struct crypt_config *cc;
68 	struct bio *base_bio;
69 	u8 *integrity_metadata;
70 	bool integrity_metadata_from_pool;
71 	struct work_struct work;
72 	struct tasklet_struct tasklet;
73 
74 	struct convert_context ctx;
75 
76 	atomic_t io_pending;
77 	blk_status_t error;
78 	sector_t sector;
79 
80 	struct rb_node rb_node;
81 } CRYPTO_MINALIGN_ATTR;
82 
83 struct dm_crypt_request {
84 	struct convert_context *ctx;
85 	struct scatterlist sg_in[4];
86 	struct scatterlist sg_out[4];
87 	u64 iv_sector;
88 };
89 
90 struct crypt_config;
91 
92 struct crypt_iv_operations {
93 	int (*ctr)(struct crypt_config *cc, struct dm_target *ti,
94 		   const char *opts);
95 	void (*dtr)(struct crypt_config *cc);
96 	int (*init)(struct crypt_config *cc);
97 	int (*wipe)(struct crypt_config *cc);
98 	int (*generator)(struct crypt_config *cc, u8 *iv,
99 			 struct dm_crypt_request *dmreq);
100 	int (*post)(struct crypt_config *cc, u8 *iv,
101 		    struct dm_crypt_request *dmreq);
102 };
103 
104 struct iv_benbi_private {
105 	int shift;
106 };
107 
108 #define LMK_SEED_SIZE 64 /* hash + 0 */
109 struct iv_lmk_private {
110 	struct crypto_shash *hash_tfm;
111 	u8 *seed;
112 };
113 
114 #define TCW_WHITENING_SIZE 16
115 struct iv_tcw_private {
116 	struct crypto_shash *crc32_tfm;
117 	u8 *iv_seed;
118 	u8 *whitening;
119 };
120 
121 #define ELEPHANT_MAX_KEY_SIZE 32
122 struct iv_elephant_private {
123 	struct crypto_skcipher *tfm;
124 };
125 
126 /*
127  * Crypt: maps a linear range of a block device
128  * and encrypts / decrypts at the same time.
129  */
130 enum flags { DM_CRYPT_SUSPENDED, DM_CRYPT_KEY_VALID,
131 	     DM_CRYPT_SAME_CPU, DM_CRYPT_NO_OFFLOAD,
132 	     DM_CRYPT_NO_READ_WORKQUEUE, DM_CRYPT_NO_WRITE_WORKQUEUE,
133 	     DM_CRYPT_WRITE_INLINE };
134 
135 enum cipher_flags {
136 	CRYPT_MODE_INTEGRITY_AEAD,	/* Use authenticated mode for cihper */
137 	CRYPT_IV_LARGE_SECTORS,		/* Calculate IV from sector_size, not 512B sectors */
138 	CRYPT_ENCRYPT_PREPROCESS,	/* Must preprocess data for encryption (elephant) */
139 };
140 
141 /*
142  * The fields in here must be read only after initialization.
143  */
144 struct crypt_config {
145 	struct dm_dev *dev;
146 	sector_t start;
147 
148 	struct percpu_counter n_allocated_pages;
149 
150 	struct workqueue_struct *io_queue;
151 	struct workqueue_struct *crypt_queue;
152 
153 	spinlock_t write_thread_lock;
154 	struct task_struct *write_thread;
155 	struct rb_root write_tree;
156 
157 	char *cipher_string;
158 	char *cipher_auth;
159 	char *key_string;
160 
161 	const struct crypt_iv_operations *iv_gen_ops;
162 	union {
163 		struct iv_benbi_private benbi;
164 		struct iv_lmk_private lmk;
165 		struct iv_tcw_private tcw;
166 		struct iv_elephant_private elephant;
167 	} iv_gen_private;
168 	u64 iv_offset;
169 	unsigned int iv_size;
170 	unsigned short int sector_size;
171 	unsigned char sector_shift;
172 
173 	union {
174 		struct crypto_skcipher **tfms;
175 		struct crypto_aead **tfms_aead;
176 	} cipher_tfm;
177 	unsigned tfms_count;
178 	unsigned long cipher_flags;
179 
180 	/*
181 	 * Layout of each crypto request:
182 	 *
183 	 *   struct skcipher_request
184 	 *      context
185 	 *      padding
186 	 *   struct dm_crypt_request
187 	 *      padding
188 	 *   IV
189 	 *
190 	 * The padding is added so that dm_crypt_request and the IV are
191 	 * correctly aligned.
192 	 */
193 	unsigned int dmreq_start;
194 
195 	unsigned int per_bio_data_size;
196 
197 	unsigned long flags;
198 	unsigned int key_size;
199 	unsigned int key_parts;      /* independent parts in key buffer */
200 	unsigned int key_extra_size; /* additional keys length */
201 	unsigned int key_mac_size;   /* MAC key size for authenc(...) */
202 
203 	unsigned int integrity_tag_size;
204 	unsigned int integrity_iv_size;
205 	unsigned int on_disk_tag_size;
206 
207 	/*
208 	 * pool for per bio private data, crypto requests,
209 	 * encryption requeusts/buffer pages and integrity tags
210 	 */
211 	unsigned tag_pool_max_sectors;
212 	mempool_t tag_pool;
213 	mempool_t req_pool;
214 	mempool_t page_pool;
215 
216 	struct bio_set bs;
217 	struct mutex bio_alloc_lock;
218 
219 	u8 *authenc_key; /* space for keys in authenc() format (if used) */
220 	u8 key[];
221 };
222 
223 #define MIN_IOS		64
224 #define MAX_TAG_SIZE	480
225 #define POOL_ENTRY_SIZE	512
226 
227 static DEFINE_SPINLOCK(dm_crypt_clients_lock);
228 static unsigned dm_crypt_clients_n = 0;
229 static volatile unsigned long dm_crypt_pages_per_client;
230 #define DM_CRYPT_MEMORY_PERCENT			2
231 #define DM_CRYPT_MIN_PAGES_PER_CLIENT		(BIO_MAX_PAGES * 16)
232 
233 static void clone_init(struct dm_crypt_io *, struct bio *);
234 static void kcryptd_queue_crypt(struct dm_crypt_io *io);
235 static struct scatterlist *crypt_get_sg_data(struct crypt_config *cc,
236 					     struct scatterlist *sg);
237 
238 static bool crypt_integrity_aead(struct crypt_config *cc);
239 
240 /*
241  * Use this to access cipher attributes that are independent of the key.
242  */
243 static struct crypto_skcipher *any_tfm(struct crypt_config *cc)
244 {
245 	return cc->cipher_tfm.tfms[0];
246 }
247 
248 static struct crypto_aead *any_tfm_aead(struct crypt_config *cc)
249 {
250 	return cc->cipher_tfm.tfms_aead[0];
251 }
252 
253 /*
254  * Different IV generation algorithms:
255  *
256  * plain: the initial vector is the 32-bit little-endian version of the sector
257  *        number, padded with zeros if necessary.
258  *
259  * plain64: the initial vector is the 64-bit little-endian version of the sector
260  *        number, padded with zeros if necessary.
261  *
262  * plain64be: the initial vector is the 64-bit big-endian version of the sector
263  *        number, padded with zeros if necessary.
264  *
265  * essiv: "encrypted sector|salt initial vector", the sector number is
266  *        encrypted with the bulk cipher using a salt as key. The salt
267  *        should be derived from the bulk cipher's key via hashing.
268  *
269  * benbi: the 64-bit "big-endian 'narrow block'-count", starting at 1
270  *        (needed for LRW-32-AES and possible other narrow block modes)
271  *
272  * null: the initial vector is always zero.  Provides compatibility with
273  *       obsolete loop_fish2 devices.  Do not use for new devices.
274  *
275  * lmk:  Compatible implementation of the block chaining mode used
276  *       by the Loop-AES block device encryption system
277  *       designed by Jari Ruusu. See http://loop-aes.sourceforge.net/
278  *       It operates on full 512 byte sectors and uses CBC
279  *       with an IV derived from the sector number, the data and
280  *       optionally extra IV seed.
281  *       This means that after decryption the first block
282  *       of sector must be tweaked according to decrypted data.
283  *       Loop-AES can use three encryption schemes:
284  *         version 1: is plain aes-cbc mode
285  *         version 2: uses 64 multikey scheme with lmk IV generator
286  *         version 3: the same as version 2 with additional IV seed
287  *                   (it uses 65 keys, last key is used as IV seed)
288  *
289  * tcw:  Compatible implementation of the block chaining mode used
290  *       by the TrueCrypt device encryption system (prior to version 4.1).
291  *       For more info see: https://gitlab.com/cryptsetup/cryptsetup/wikis/TrueCryptOnDiskFormat
292  *       It operates on full 512 byte sectors and uses CBC
293  *       with an IV derived from initial key and the sector number.
294  *       In addition, whitening value is applied on every sector, whitening
295  *       is calculated from initial key, sector number and mixed using CRC32.
296  *       Note that this encryption scheme is vulnerable to watermarking attacks
297  *       and should be used for old compatible containers access only.
298  *
299  * eboiv: Encrypted byte-offset IV (used in Bitlocker in CBC mode)
300  *        The IV is encrypted little-endian byte-offset (with the same key
301  *        and cipher as the volume).
302  *
303  * elephant: The extended version of eboiv with additional Elephant diffuser
304  *           used with Bitlocker CBC mode.
305  *           This mode was used in older Windows systems
306  *           https://download.microsoft.com/download/0/2/3/0238acaf-d3bf-4a6d-b3d6-0a0be4bbb36e/bitlockercipher200608.pdf
307  */
308 
309 static int crypt_iv_plain_gen(struct crypt_config *cc, u8 *iv,
310 			      struct dm_crypt_request *dmreq)
311 {
312 	memset(iv, 0, cc->iv_size);
313 	*(__le32 *)iv = cpu_to_le32(dmreq->iv_sector & 0xffffffff);
314 
315 	return 0;
316 }
317 
318 static int crypt_iv_plain64_gen(struct crypt_config *cc, u8 *iv,
319 				struct dm_crypt_request *dmreq)
320 {
321 	memset(iv, 0, cc->iv_size);
322 	*(__le64 *)iv = cpu_to_le64(dmreq->iv_sector);
323 
324 	return 0;
325 }
326 
327 static int crypt_iv_plain64be_gen(struct crypt_config *cc, u8 *iv,
328 				  struct dm_crypt_request *dmreq)
329 {
330 	memset(iv, 0, cc->iv_size);
331 	/* iv_size is at least of size u64; usually it is 16 bytes */
332 	*(__be64 *)&iv[cc->iv_size - sizeof(u64)] = cpu_to_be64(dmreq->iv_sector);
333 
334 	return 0;
335 }
336 
337 static int crypt_iv_essiv_gen(struct crypt_config *cc, u8 *iv,
338 			      struct dm_crypt_request *dmreq)
339 {
340 	/*
341 	 * ESSIV encryption of the IV is now handled by the crypto API,
342 	 * so just pass the plain sector number here.
343 	 */
344 	memset(iv, 0, cc->iv_size);
345 	*(__le64 *)iv = cpu_to_le64(dmreq->iv_sector);
346 
347 	return 0;
348 }
349 
350 static int crypt_iv_benbi_ctr(struct crypt_config *cc, struct dm_target *ti,
351 			      const char *opts)
352 {
353 	unsigned bs;
354 	int log;
355 
356 	if (crypt_integrity_aead(cc))
357 		bs = crypto_aead_blocksize(any_tfm_aead(cc));
358 	else
359 		bs = crypto_skcipher_blocksize(any_tfm(cc));
360 	log = ilog2(bs);
361 
362 	/* we need to calculate how far we must shift the sector count
363 	 * to get the cipher block count, we use this shift in _gen */
364 
365 	if (1 << log != bs) {
366 		ti->error = "cypher blocksize is not a power of 2";
367 		return -EINVAL;
368 	}
369 
370 	if (log > 9) {
371 		ti->error = "cypher blocksize is > 512";
372 		return -EINVAL;
373 	}
374 
375 	cc->iv_gen_private.benbi.shift = 9 - log;
376 
377 	return 0;
378 }
379 
380 static void crypt_iv_benbi_dtr(struct crypt_config *cc)
381 {
382 }
383 
384 static int crypt_iv_benbi_gen(struct crypt_config *cc, u8 *iv,
385 			      struct dm_crypt_request *dmreq)
386 {
387 	__be64 val;
388 
389 	memset(iv, 0, cc->iv_size - sizeof(u64)); /* rest is cleared below */
390 
391 	val = cpu_to_be64(((u64)dmreq->iv_sector << cc->iv_gen_private.benbi.shift) + 1);
392 	put_unaligned(val, (__be64 *)(iv + cc->iv_size - sizeof(u64)));
393 
394 	return 0;
395 }
396 
397 static int crypt_iv_null_gen(struct crypt_config *cc, u8 *iv,
398 			     struct dm_crypt_request *dmreq)
399 {
400 	memset(iv, 0, cc->iv_size);
401 
402 	return 0;
403 }
404 
405 static void crypt_iv_lmk_dtr(struct crypt_config *cc)
406 {
407 	struct iv_lmk_private *lmk = &cc->iv_gen_private.lmk;
408 
409 	if (lmk->hash_tfm && !IS_ERR(lmk->hash_tfm))
410 		crypto_free_shash(lmk->hash_tfm);
411 	lmk->hash_tfm = NULL;
412 
413 	kfree_sensitive(lmk->seed);
414 	lmk->seed = NULL;
415 }
416 
417 static int crypt_iv_lmk_ctr(struct crypt_config *cc, struct dm_target *ti,
418 			    const char *opts)
419 {
420 	struct iv_lmk_private *lmk = &cc->iv_gen_private.lmk;
421 
422 	if (cc->sector_size != (1 << SECTOR_SHIFT)) {
423 		ti->error = "Unsupported sector size for LMK";
424 		return -EINVAL;
425 	}
426 
427 	lmk->hash_tfm = crypto_alloc_shash("md5", 0, 0);
428 	if (IS_ERR(lmk->hash_tfm)) {
429 		ti->error = "Error initializing LMK hash";
430 		return PTR_ERR(lmk->hash_tfm);
431 	}
432 
433 	/* No seed in LMK version 2 */
434 	if (cc->key_parts == cc->tfms_count) {
435 		lmk->seed = NULL;
436 		return 0;
437 	}
438 
439 	lmk->seed = kzalloc(LMK_SEED_SIZE, GFP_KERNEL);
440 	if (!lmk->seed) {
441 		crypt_iv_lmk_dtr(cc);
442 		ti->error = "Error kmallocing seed storage in LMK";
443 		return -ENOMEM;
444 	}
445 
446 	return 0;
447 }
448 
449 static int crypt_iv_lmk_init(struct crypt_config *cc)
450 {
451 	struct iv_lmk_private *lmk = &cc->iv_gen_private.lmk;
452 	int subkey_size = cc->key_size / cc->key_parts;
453 
454 	/* LMK seed is on the position of LMK_KEYS + 1 key */
455 	if (lmk->seed)
456 		memcpy(lmk->seed, cc->key + (cc->tfms_count * subkey_size),
457 		       crypto_shash_digestsize(lmk->hash_tfm));
458 
459 	return 0;
460 }
461 
462 static int crypt_iv_lmk_wipe(struct crypt_config *cc)
463 {
464 	struct iv_lmk_private *lmk = &cc->iv_gen_private.lmk;
465 
466 	if (lmk->seed)
467 		memset(lmk->seed, 0, LMK_SEED_SIZE);
468 
469 	return 0;
470 }
471 
472 static int crypt_iv_lmk_one(struct crypt_config *cc, u8 *iv,
473 			    struct dm_crypt_request *dmreq,
474 			    u8 *data)
475 {
476 	struct iv_lmk_private *lmk = &cc->iv_gen_private.lmk;
477 	SHASH_DESC_ON_STACK(desc, lmk->hash_tfm);
478 	struct md5_state md5state;
479 	__le32 buf[4];
480 	int i, r;
481 
482 	desc->tfm = lmk->hash_tfm;
483 
484 	r = crypto_shash_init(desc);
485 	if (r)
486 		return r;
487 
488 	if (lmk->seed) {
489 		r = crypto_shash_update(desc, lmk->seed, LMK_SEED_SIZE);
490 		if (r)
491 			return r;
492 	}
493 
494 	/* Sector is always 512B, block size 16, add data of blocks 1-31 */
495 	r = crypto_shash_update(desc, data + 16, 16 * 31);
496 	if (r)
497 		return r;
498 
499 	/* Sector is cropped to 56 bits here */
500 	buf[0] = cpu_to_le32(dmreq->iv_sector & 0xFFFFFFFF);
501 	buf[1] = cpu_to_le32((((u64)dmreq->iv_sector >> 32) & 0x00FFFFFF) | 0x80000000);
502 	buf[2] = cpu_to_le32(4024);
503 	buf[3] = 0;
504 	r = crypto_shash_update(desc, (u8 *)buf, sizeof(buf));
505 	if (r)
506 		return r;
507 
508 	/* No MD5 padding here */
509 	r = crypto_shash_export(desc, &md5state);
510 	if (r)
511 		return r;
512 
513 	for (i = 0; i < MD5_HASH_WORDS; i++)
514 		__cpu_to_le32s(&md5state.hash[i]);
515 	memcpy(iv, &md5state.hash, cc->iv_size);
516 
517 	return 0;
518 }
519 
520 static int crypt_iv_lmk_gen(struct crypt_config *cc, u8 *iv,
521 			    struct dm_crypt_request *dmreq)
522 {
523 	struct scatterlist *sg;
524 	u8 *src;
525 	int r = 0;
526 
527 	if (bio_data_dir(dmreq->ctx->bio_in) == WRITE) {
528 		sg = crypt_get_sg_data(cc, dmreq->sg_in);
529 		src = kmap_atomic(sg_page(sg));
530 		r = crypt_iv_lmk_one(cc, iv, dmreq, src + sg->offset);
531 		kunmap_atomic(src);
532 	} else
533 		memset(iv, 0, cc->iv_size);
534 
535 	return r;
536 }
537 
538 static int crypt_iv_lmk_post(struct crypt_config *cc, u8 *iv,
539 			     struct dm_crypt_request *dmreq)
540 {
541 	struct scatterlist *sg;
542 	u8 *dst;
543 	int r;
544 
545 	if (bio_data_dir(dmreq->ctx->bio_in) == WRITE)
546 		return 0;
547 
548 	sg = crypt_get_sg_data(cc, dmreq->sg_out);
549 	dst = kmap_atomic(sg_page(sg));
550 	r = crypt_iv_lmk_one(cc, iv, dmreq, dst + sg->offset);
551 
552 	/* Tweak the first block of plaintext sector */
553 	if (!r)
554 		crypto_xor(dst + sg->offset, iv, cc->iv_size);
555 
556 	kunmap_atomic(dst);
557 	return r;
558 }
559 
560 static void crypt_iv_tcw_dtr(struct crypt_config *cc)
561 {
562 	struct iv_tcw_private *tcw = &cc->iv_gen_private.tcw;
563 
564 	kfree_sensitive(tcw->iv_seed);
565 	tcw->iv_seed = NULL;
566 	kfree_sensitive(tcw->whitening);
567 	tcw->whitening = NULL;
568 
569 	if (tcw->crc32_tfm && !IS_ERR(tcw->crc32_tfm))
570 		crypto_free_shash(tcw->crc32_tfm);
571 	tcw->crc32_tfm = NULL;
572 }
573 
574 static int crypt_iv_tcw_ctr(struct crypt_config *cc, struct dm_target *ti,
575 			    const char *opts)
576 {
577 	struct iv_tcw_private *tcw = &cc->iv_gen_private.tcw;
578 
579 	if (cc->sector_size != (1 << SECTOR_SHIFT)) {
580 		ti->error = "Unsupported sector size for TCW";
581 		return -EINVAL;
582 	}
583 
584 	if (cc->key_size <= (cc->iv_size + TCW_WHITENING_SIZE)) {
585 		ti->error = "Wrong key size for TCW";
586 		return -EINVAL;
587 	}
588 
589 	tcw->crc32_tfm = crypto_alloc_shash("crc32", 0, 0);
590 	if (IS_ERR(tcw->crc32_tfm)) {
591 		ti->error = "Error initializing CRC32 in TCW";
592 		return PTR_ERR(tcw->crc32_tfm);
593 	}
594 
595 	tcw->iv_seed = kzalloc(cc->iv_size, GFP_KERNEL);
596 	tcw->whitening = kzalloc(TCW_WHITENING_SIZE, GFP_KERNEL);
597 	if (!tcw->iv_seed || !tcw->whitening) {
598 		crypt_iv_tcw_dtr(cc);
599 		ti->error = "Error allocating seed storage in TCW";
600 		return -ENOMEM;
601 	}
602 
603 	return 0;
604 }
605 
606 static int crypt_iv_tcw_init(struct crypt_config *cc)
607 {
608 	struct iv_tcw_private *tcw = &cc->iv_gen_private.tcw;
609 	int key_offset = cc->key_size - cc->iv_size - TCW_WHITENING_SIZE;
610 
611 	memcpy(tcw->iv_seed, &cc->key[key_offset], cc->iv_size);
612 	memcpy(tcw->whitening, &cc->key[key_offset + cc->iv_size],
613 	       TCW_WHITENING_SIZE);
614 
615 	return 0;
616 }
617 
618 static int crypt_iv_tcw_wipe(struct crypt_config *cc)
619 {
620 	struct iv_tcw_private *tcw = &cc->iv_gen_private.tcw;
621 
622 	memset(tcw->iv_seed, 0, cc->iv_size);
623 	memset(tcw->whitening, 0, TCW_WHITENING_SIZE);
624 
625 	return 0;
626 }
627 
628 static int crypt_iv_tcw_whitening(struct crypt_config *cc,
629 				  struct dm_crypt_request *dmreq,
630 				  u8 *data)
631 {
632 	struct iv_tcw_private *tcw = &cc->iv_gen_private.tcw;
633 	__le64 sector = cpu_to_le64(dmreq->iv_sector);
634 	u8 buf[TCW_WHITENING_SIZE];
635 	SHASH_DESC_ON_STACK(desc, tcw->crc32_tfm);
636 	int i, r;
637 
638 	/* xor whitening with sector number */
639 	crypto_xor_cpy(buf, tcw->whitening, (u8 *)&sector, 8);
640 	crypto_xor_cpy(&buf[8], tcw->whitening + 8, (u8 *)&sector, 8);
641 
642 	/* calculate crc32 for every 32bit part and xor it */
643 	desc->tfm = tcw->crc32_tfm;
644 	for (i = 0; i < 4; i++) {
645 		r = crypto_shash_init(desc);
646 		if (r)
647 			goto out;
648 		r = crypto_shash_update(desc, &buf[i * 4], 4);
649 		if (r)
650 			goto out;
651 		r = crypto_shash_final(desc, &buf[i * 4]);
652 		if (r)
653 			goto out;
654 	}
655 	crypto_xor(&buf[0], &buf[12], 4);
656 	crypto_xor(&buf[4], &buf[8], 4);
657 
658 	/* apply whitening (8 bytes) to whole sector */
659 	for (i = 0; i < ((1 << SECTOR_SHIFT) / 8); i++)
660 		crypto_xor(data + i * 8, buf, 8);
661 out:
662 	memzero_explicit(buf, sizeof(buf));
663 	return r;
664 }
665 
666 static int crypt_iv_tcw_gen(struct crypt_config *cc, u8 *iv,
667 			    struct dm_crypt_request *dmreq)
668 {
669 	struct scatterlist *sg;
670 	struct iv_tcw_private *tcw = &cc->iv_gen_private.tcw;
671 	__le64 sector = cpu_to_le64(dmreq->iv_sector);
672 	u8 *src;
673 	int r = 0;
674 
675 	/* Remove whitening from ciphertext */
676 	if (bio_data_dir(dmreq->ctx->bio_in) != WRITE) {
677 		sg = crypt_get_sg_data(cc, dmreq->sg_in);
678 		src = kmap_atomic(sg_page(sg));
679 		r = crypt_iv_tcw_whitening(cc, dmreq, src + sg->offset);
680 		kunmap_atomic(src);
681 	}
682 
683 	/* Calculate IV */
684 	crypto_xor_cpy(iv, tcw->iv_seed, (u8 *)&sector, 8);
685 	if (cc->iv_size > 8)
686 		crypto_xor_cpy(&iv[8], tcw->iv_seed + 8, (u8 *)&sector,
687 			       cc->iv_size - 8);
688 
689 	return r;
690 }
691 
692 static int crypt_iv_tcw_post(struct crypt_config *cc, u8 *iv,
693 			     struct dm_crypt_request *dmreq)
694 {
695 	struct scatterlist *sg;
696 	u8 *dst;
697 	int r;
698 
699 	if (bio_data_dir(dmreq->ctx->bio_in) != WRITE)
700 		return 0;
701 
702 	/* Apply whitening on ciphertext */
703 	sg = crypt_get_sg_data(cc, dmreq->sg_out);
704 	dst = kmap_atomic(sg_page(sg));
705 	r = crypt_iv_tcw_whitening(cc, dmreq, dst + sg->offset);
706 	kunmap_atomic(dst);
707 
708 	return r;
709 }
710 
711 static int crypt_iv_random_gen(struct crypt_config *cc, u8 *iv,
712 				struct dm_crypt_request *dmreq)
713 {
714 	/* Used only for writes, there must be an additional space to store IV */
715 	get_random_bytes(iv, cc->iv_size);
716 	return 0;
717 }
718 
719 static int crypt_iv_eboiv_ctr(struct crypt_config *cc, struct dm_target *ti,
720 			    const char *opts)
721 {
722 	if (crypt_integrity_aead(cc)) {
723 		ti->error = "AEAD transforms not supported for EBOIV";
724 		return -EINVAL;
725 	}
726 
727 	if (crypto_skcipher_blocksize(any_tfm(cc)) != cc->iv_size) {
728 		ti->error = "Block size of EBOIV cipher does "
729 			    "not match IV size of block cipher";
730 		return -EINVAL;
731 	}
732 
733 	return 0;
734 }
735 
736 static int crypt_iv_eboiv_gen(struct crypt_config *cc, u8 *iv,
737 			    struct dm_crypt_request *dmreq)
738 {
739 	u8 buf[MAX_CIPHER_BLOCKSIZE] __aligned(__alignof__(__le64));
740 	struct skcipher_request *req;
741 	struct scatterlist src, dst;
742 	struct crypto_wait wait;
743 	int err;
744 
745 	req = skcipher_request_alloc(any_tfm(cc), GFP_NOIO);
746 	if (!req)
747 		return -ENOMEM;
748 
749 	memset(buf, 0, cc->iv_size);
750 	*(__le64 *)buf = cpu_to_le64(dmreq->iv_sector * cc->sector_size);
751 
752 	sg_init_one(&src, page_address(ZERO_PAGE(0)), cc->iv_size);
753 	sg_init_one(&dst, iv, cc->iv_size);
754 	skcipher_request_set_crypt(req, &src, &dst, cc->iv_size, buf);
755 	skcipher_request_set_callback(req, 0, crypto_req_done, &wait);
756 	err = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
757 	skcipher_request_free(req);
758 
759 	return err;
760 }
761 
762 static void crypt_iv_elephant_dtr(struct crypt_config *cc)
763 {
764 	struct iv_elephant_private *elephant = &cc->iv_gen_private.elephant;
765 
766 	crypto_free_skcipher(elephant->tfm);
767 	elephant->tfm = NULL;
768 }
769 
770 static int crypt_iv_elephant_ctr(struct crypt_config *cc, struct dm_target *ti,
771 			    const char *opts)
772 {
773 	struct iv_elephant_private *elephant = &cc->iv_gen_private.elephant;
774 	int r;
775 
776 	elephant->tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0);
777 	if (IS_ERR(elephant->tfm)) {
778 		r = PTR_ERR(elephant->tfm);
779 		elephant->tfm = NULL;
780 		return r;
781 	}
782 
783 	r = crypt_iv_eboiv_ctr(cc, ti, NULL);
784 	if (r)
785 		crypt_iv_elephant_dtr(cc);
786 	return r;
787 }
788 
789 static void diffuser_disk_to_cpu(u32 *d, size_t n)
790 {
791 #ifndef __LITTLE_ENDIAN
792 	int i;
793 
794 	for (i = 0; i < n; i++)
795 		d[i] = le32_to_cpu((__le32)d[i]);
796 #endif
797 }
798 
799 static void diffuser_cpu_to_disk(__le32 *d, size_t n)
800 {
801 #ifndef __LITTLE_ENDIAN
802 	int i;
803 
804 	for (i = 0; i < n; i++)
805 		d[i] = cpu_to_le32((u32)d[i]);
806 #endif
807 }
808 
809 static void diffuser_a_decrypt(u32 *d, size_t n)
810 {
811 	int i, i1, i2, i3;
812 
813 	for (i = 0; i < 5; i++) {
814 		i1 = 0;
815 		i2 = n - 2;
816 		i3 = n - 5;
817 
818 		while (i1 < (n - 1)) {
819 			d[i1] += d[i2] ^ (d[i3] << 9 | d[i3] >> 23);
820 			i1++; i2++; i3++;
821 
822 			if (i3 >= n)
823 				i3 -= n;
824 
825 			d[i1] += d[i2] ^ d[i3];
826 			i1++; i2++; i3++;
827 
828 			if (i2 >= n)
829 				i2 -= n;
830 
831 			d[i1] += d[i2] ^ (d[i3] << 13 | d[i3] >> 19);
832 			i1++; i2++; i3++;
833 
834 			d[i1] += d[i2] ^ d[i3];
835 			i1++; i2++; i3++;
836 		}
837 	}
838 }
839 
840 static void diffuser_a_encrypt(u32 *d, size_t n)
841 {
842 	int i, i1, i2, i3;
843 
844 	for (i = 0; i < 5; i++) {
845 		i1 = n - 1;
846 		i2 = n - 2 - 1;
847 		i3 = n - 5 - 1;
848 
849 		while (i1 > 0) {
850 			d[i1] -= d[i2] ^ d[i3];
851 			i1--; i2--; i3--;
852 
853 			d[i1] -= d[i2] ^ (d[i3] << 13 | d[i3] >> 19);
854 			i1--; i2--; i3--;
855 
856 			if (i2 < 0)
857 				i2 += n;
858 
859 			d[i1] -= d[i2] ^ d[i3];
860 			i1--; i2--; i3--;
861 
862 			if (i3 < 0)
863 				i3 += n;
864 
865 			d[i1] -= d[i2] ^ (d[i3] << 9 | d[i3] >> 23);
866 			i1--; i2--; i3--;
867 		}
868 	}
869 }
870 
871 static void diffuser_b_decrypt(u32 *d, size_t n)
872 {
873 	int i, i1, i2, i3;
874 
875 	for (i = 0; i < 3; i++) {
876 		i1 = 0;
877 		i2 = 2;
878 		i3 = 5;
879 
880 		while (i1 < (n - 1)) {
881 			d[i1] += d[i2] ^ d[i3];
882 			i1++; i2++; i3++;
883 
884 			d[i1] += d[i2] ^ (d[i3] << 10 | d[i3] >> 22);
885 			i1++; i2++; i3++;
886 
887 			if (i2 >= n)
888 				i2 -= n;
889 
890 			d[i1] += d[i2] ^ d[i3];
891 			i1++; i2++; i3++;
892 
893 			if (i3 >= n)
894 				i3 -= n;
895 
896 			d[i1] += d[i2] ^ (d[i3] << 25 | d[i3] >> 7);
897 			i1++; i2++; i3++;
898 		}
899 	}
900 }
901 
902 static void diffuser_b_encrypt(u32 *d, size_t n)
903 {
904 	int i, i1, i2, i3;
905 
906 	for (i = 0; i < 3; i++) {
907 		i1 = n - 1;
908 		i2 = 2 - 1;
909 		i3 = 5 - 1;
910 
911 		while (i1 > 0) {
912 			d[i1] -= d[i2] ^ (d[i3] << 25 | d[i3] >> 7);
913 			i1--; i2--; i3--;
914 
915 			if (i3 < 0)
916 				i3 += n;
917 
918 			d[i1] -= d[i2] ^ d[i3];
919 			i1--; i2--; i3--;
920 
921 			if (i2 < 0)
922 				i2 += n;
923 
924 			d[i1] -= d[i2] ^ (d[i3] << 10 | d[i3] >> 22);
925 			i1--; i2--; i3--;
926 
927 			d[i1] -= d[i2] ^ d[i3];
928 			i1--; i2--; i3--;
929 		}
930 	}
931 }
932 
933 static int crypt_iv_elephant(struct crypt_config *cc, struct dm_crypt_request *dmreq)
934 {
935 	struct iv_elephant_private *elephant = &cc->iv_gen_private.elephant;
936 	u8 *es, *ks, *data, *data2, *data_offset;
937 	struct skcipher_request *req;
938 	struct scatterlist *sg, *sg2, src, dst;
939 	struct crypto_wait wait;
940 	int i, r;
941 
942 	req = skcipher_request_alloc(elephant->tfm, GFP_NOIO);
943 	es = kzalloc(16, GFP_NOIO); /* Key for AES */
944 	ks = kzalloc(32, GFP_NOIO); /* Elephant sector key */
945 
946 	if (!req || !es || !ks) {
947 		r = -ENOMEM;
948 		goto out;
949 	}
950 
951 	*(__le64 *)es = cpu_to_le64(dmreq->iv_sector * cc->sector_size);
952 
953 	/* E(Ks, e(s)) */
954 	sg_init_one(&src, es, 16);
955 	sg_init_one(&dst, ks, 16);
956 	skcipher_request_set_crypt(req, &src, &dst, 16, NULL);
957 	skcipher_request_set_callback(req, 0, crypto_req_done, &wait);
958 	r = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
959 	if (r)
960 		goto out;
961 
962 	/* E(Ks, e'(s)) */
963 	es[15] = 0x80;
964 	sg_init_one(&dst, &ks[16], 16);
965 	r = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
966 	if (r)
967 		goto out;
968 
969 	sg = crypt_get_sg_data(cc, dmreq->sg_out);
970 	data = kmap_atomic(sg_page(sg));
971 	data_offset = data + sg->offset;
972 
973 	/* Cannot modify original bio, copy to sg_out and apply Elephant to it */
974 	if (bio_data_dir(dmreq->ctx->bio_in) == WRITE) {
975 		sg2 = crypt_get_sg_data(cc, dmreq->sg_in);
976 		data2 = kmap_atomic(sg_page(sg2));
977 		memcpy(data_offset, data2 + sg2->offset, cc->sector_size);
978 		kunmap_atomic(data2);
979 	}
980 
981 	if (bio_data_dir(dmreq->ctx->bio_in) != WRITE) {
982 		diffuser_disk_to_cpu((u32*)data_offset, cc->sector_size / sizeof(u32));
983 		diffuser_b_decrypt((u32*)data_offset, cc->sector_size / sizeof(u32));
984 		diffuser_a_decrypt((u32*)data_offset, cc->sector_size / sizeof(u32));
985 		diffuser_cpu_to_disk((__le32*)data_offset, cc->sector_size / sizeof(u32));
986 	}
987 
988 	for (i = 0; i < (cc->sector_size / 32); i++)
989 		crypto_xor(data_offset + i * 32, ks, 32);
990 
991 	if (bio_data_dir(dmreq->ctx->bio_in) == WRITE) {
992 		diffuser_disk_to_cpu((u32*)data_offset, cc->sector_size / sizeof(u32));
993 		diffuser_a_encrypt((u32*)data_offset, cc->sector_size / sizeof(u32));
994 		diffuser_b_encrypt((u32*)data_offset, cc->sector_size / sizeof(u32));
995 		diffuser_cpu_to_disk((__le32*)data_offset, cc->sector_size / sizeof(u32));
996 	}
997 
998 	kunmap_atomic(data);
999 out:
1000 	kfree_sensitive(ks);
1001 	kfree_sensitive(es);
1002 	skcipher_request_free(req);
1003 	return r;
1004 }
1005 
1006 static int crypt_iv_elephant_gen(struct crypt_config *cc, u8 *iv,
1007 			    struct dm_crypt_request *dmreq)
1008 {
1009 	int r;
1010 
1011 	if (bio_data_dir(dmreq->ctx->bio_in) == WRITE) {
1012 		r = crypt_iv_elephant(cc, dmreq);
1013 		if (r)
1014 			return r;
1015 	}
1016 
1017 	return crypt_iv_eboiv_gen(cc, iv, dmreq);
1018 }
1019 
1020 static int crypt_iv_elephant_post(struct crypt_config *cc, u8 *iv,
1021 				  struct dm_crypt_request *dmreq)
1022 {
1023 	if (bio_data_dir(dmreq->ctx->bio_in) != WRITE)
1024 		return crypt_iv_elephant(cc, dmreq);
1025 
1026 	return 0;
1027 }
1028 
1029 static int crypt_iv_elephant_init(struct crypt_config *cc)
1030 {
1031 	struct iv_elephant_private *elephant = &cc->iv_gen_private.elephant;
1032 	int key_offset = cc->key_size - cc->key_extra_size;
1033 
1034 	return crypto_skcipher_setkey(elephant->tfm, &cc->key[key_offset], cc->key_extra_size);
1035 }
1036 
1037 static int crypt_iv_elephant_wipe(struct crypt_config *cc)
1038 {
1039 	struct iv_elephant_private *elephant = &cc->iv_gen_private.elephant;
1040 	u8 key[ELEPHANT_MAX_KEY_SIZE];
1041 
1042 	memset(key, 0, cc->key_extra_size);
1043 	return crypto_skcipher_setkey(elephant->tfm, key, cc->key_extra_size);
1044 }
1045 
1046 static const struct crypt_iv_operations crypt_iv_plain_ops = {
1047 	.generator = crypt_iv_plain_gen
1048 };
1049 
1050 static const struct crypt_iv_operations crypt_iv_plain64_ops = {
1051 	.generator = crypt_iv_plain64_gen
1052 };
1053 
1054 static const struct crypt_iv_operations crypt_iv_plain64be_ops = {
1055 	.generator = crypt_iv_plain64be_gen
1056 };
1057 
1058 static const struct crypt_iv_operations crypt_iv_essiv_ops = {
1059 	.generator = crypt_iv_essiv_gen
1060 };
1061 
1062 static const struct crypt_iv_operations crypt_iv_benbi_ops = {
1063 	.ctr	   = crypt_iv_benbi_ctr,
1064 	.dtr	   = crypt_iv_benbi_dtr,
1065 	.generator = crypt_iv_benbi_gen
1066 };
1067 
1068 static const struct crypt_iv_operations crypt_iv_null_ops = {
1069 	.generator = crypt_iv_null_gen
1070 };
1071 
1072 static const struct crypt_iv_operations crypt_iv_lmk_ops = {
1073 	.ctr	   = crypt_iv_lmk_ctr,
1074 	.dtr	   = crypt_iv_lmk_dtr,
1075 	.init	   = crypt_iv_lmk_init,
1076 	.wipe	   = crypt_iv_lmk_wipe,
1077 	.generator = crypt_iv_lmk_gen,
1078 	.post	   = crypt_iv_lmk_post
1079 };
1080 
1081 static const struct crypt_iv_operations crypt_iv_tcw_ops = {
1082 	.ctr	   = crypt_iv_tcw_ctr,
1083 	.dtr	   = crypt_iv_tcw_dtr,
1084 	.init	   = crypt_iv_tcw_init,
1085 	.wipe	   = crypt_iv_tcw_wipe,
1086 	.generator = crypt_iv_tcw_gen,
1087 	.post	   = crypt_iv_tcw_post
1088 };
1089 
1090 static struct crypt_iv_operations crypt_iv_random_ops = {
1091 	.generator = crypt_iv_random_gen
1092 };
1093 
1094 static struct crypt_iv_operations crypt_iv_eboiv_ops = {
1095 	.ctr	   = crypt_iv_eboiv_ctr,
1096 	.generator = crypt_iv_eboiv_gen
1097 };
1098 
1099 static struct crypt_iv_operations crypt_iv_elephant_ops = {
1100 	.ctr	   = crypt_iv_elephant_ctr,
1101 	.dtr	   = crypt_iv_elephant_dtr,
1102 	.init	   = crypt_iv_elephant_init,
1103 	.wipe	   = crypt_iv_elephant_wipe,
1104 	.generator = crypt_iv_elephant_gen,
1105 	.post	   = crypt_iv_elephant_post
1106 };
1107 
1108 /*
1109  * Integrity extensions
1110  */
1111 static bool crypt_integrity_aead(struct crypt_config *cc)
1112 {
1113 	return test_bit(CRYPT_MODE_INTEGRITY_AEAD, &cc->cipher_flags);
1114 }
1115 
1116 static bool crypt_integrity_hmac(struct crypt_config *cc)
1117 {
1118 	return crypt_integrity_aead(cc) && cc->key_mac_size;
1119 }
1120 
1121 /* Get sg containing data */
1122 static struct scatterlist *crypt_get_sg_data(struct crypt_config *cc,
1123 					     struct scatterlist *sg)
1124 {
1125 	if (unlikely(crypt_integrity_aead(cc)))
1126 		return &sg[2];
1127 
1128 	return sg;
1129 }
1130 
1131 static int dm_crypt_integrity_io_alloc(struct dm_crypt_io *io, struct bio *bio)
1132 {
1133 	struct bio_integrity_payload *bip;
1134 	unsigned int tag_len;
1135 	int ret;
1136 
1137 	if (!bio_sectors(bio) || !io->cc->on_disk_tag_size)
1138 		return 0;
1139 
1140 	bip = bio_integrity_alloc(bio, GFP_NOIO, 1);
1141 	if (IS_ERR(bip))
1142 		return PTR_ERR(bip);
1143 
1144 	tag_len = io->cc->on_disk_tag_size * (bio_sectors(bio) >> io->cc->sector_shift);
1145 
1146 	bip->bip_iter.bi_size = tag_len;
1147 	bip->bip_iter.bi_sector = io->cc->start + io->sector;
1148 
1149 	ret = bio_integrity_add_page(bio, virt_to_page(io->integrity_metadata),
1150 				     tag_len, offset_in_page(io->integrity_metadata));
1151 	if (unlikely(ret != tag_len))
1152 		return -ENOMEM;
1153 
1154 	return 0;
1155 }
1156 
1157 static int crypt_integrity_ctr(struct crypt_config *cc, struct dm_target *ti)
1158 {
1159 #ifdef CONFIG_BLK_DEV_INTEGRITY
1160 	struct blk_integrity *bi = blk_get_integrity(cc->dev->bdev->bd_disk);
1161 	struct mapped_device *md = dm_table_get_md(ti->table);
1162 
1163 	/* From now we require underlying device with our integrity profile */
1164 	if (!bi || strcasecmp(bi->profile->name, "DM-DIF-EXT-TAG")) {
1165 		ti->error = "Integrity profile not supported.";
1166 		return -EINVAL;
1167 	}
1168 
1169 	if (bi->tag_size != cc->on_disk_tag_size ||
1170 	    bi->tuple_size != cc->on_disk_tag_size) {
1171 		ti->error = "Integrity profile tag size mismatch.";
1172 		return -EINVAL;
1173 	}
1174 	if (1 << bi->interval_exp != cc->sector_size) {
1175 		ti->error = "Integrity profile sector size mismatch.";
1176 		return -EINVAL;
1177 	}
1178 
1179 	if (crypt_integrity_aead(cc)) {
1180 		cc->integrity_tag_size = cc->on_disk_tag_size - cc->integrity_iv_size;
1181 		DMDEBUG("%s: Integrity AEAD, tag size %u, IV size %u.", dm_device_name(md),
1182 		       cc->integrity_tag_size, cc->integrity_iv_size);
1183 
1184 		if (crypto_aead_setauthsize(any_tfm_aead(cc), cc->integrity_tag_size)) {
1185 			ti->error = "Integrity AEAD auth tag size is not supported.";
1186 			return -EINVAL;
1187 		}
1188 	} else if (cc->integrity_iv_size)
1189 		DMDEBUG("%s: Additional per-sector space %u bytes for IV.", dm_device_name(md),
1190 		       cc->integrity_iv_size);
1191 
1192 	if ((cc->integrity_tag_size + cc->integrity_iv_size) != bi->tag_size) {
1193 		ti->error = "Not enough space for integrity tag in the profile.";
1194 		return -EINVAL;
1195 	}
1196 
1197 	return 0;
1198 #else
1199 	ti->error = "Integrity profile not supported.";
1200 	return -EINVAL;
1201 #endif
1202 }
1203 
1204 static void crypt_convert_init(struct crypt_config *cc,
1205 			       struct convert_context *ctx,
1206 			       struct bio *bio_out, struct bio *bio_in,
1207 			       sector_t sector)
1208 {
1209 	ctx->bio_in = bio_in;
1210 	ctx->bio_out = bio_out;
1211 	if (bio_in)
1212 		ctx->iter_in = bio_in->bi_iter;
1213 	if (bio_out)
1214 		ctx->iter_out = bio_out->bi_iter;
1215 	ctx->cc_sector = sector + cc->iv_offset;
1216 	init_completion(&ctx->restart);
1217 }
1218 
1219 static struct dm_crypt_request *dmreq_of_req(struct crypt_config *cc,
1220 					     void *req)
1221 {
1222 	return (struct dm_crypt_request *)((char *)req + cc->dmreq_start);
1223 }
1224 
1225 static void *req_of_dmreq(struct crypt_config *cc, struct dm_crypt_request *dmreq)
1226 {
1227 	return (void *)((char *)dmreq - cc->dmreq_start);
1228 }
1229 
1230 static u8 *iv_of_dmreq(struct crypt_config *cc,
1231 		       struct dm_crypt_request *dmreq)
1232 {
1233 	if (crypt_integrity_aead(cc))
1234 		return (u8 *)ALIGN((unsigned long)(dmreq + 1),
1235 			crypto_aead_alignmask(any_tfm_aead(cc)) + 1);
1236 	else
1237 		return (u8 *)ALIGN((unsigned long)(dmreq + 1),
1238 			crypto_skcipher_alignmask(any_tfm(cc)) + 1);
1239 }
1240 
1241 static u8 *org_iv_of_dmreq(struct crypt_config *cc,
1242 		       struct dm_crypt_request *dmreq)
1243 {
1244 	return iv_of_dmreq(cc, dmreq) + cc->iv_size;
1245 }
1246 
1247 static __le64 *org_sector_of_dmreq(struct crypt_config *cc,
1248 		       struct dm_crypt_request *dmreq)
1249 {
1250 	u8 *ptr = iv_of_dmreq(cc, dmreq) + cc->iv_size + cc->iv_size;
1251 	return (__le64 *) ptr;
1252 }
1253 
1254 static unsigned int *org_tag_of_dmreq(struct crypt_config *cc,
1255 		       struct dm_crypt_request *dmreq)
1256 {
1257 	u8 *ptr = iv_of_dmreq(cc, dmreq) + cc->iv_size +
1258 		  cc->iv_size + sizeof(uint64_t);
1259 	return (unsigned int*)ptr;
1260 }
1261 
1262 static void *tag_from_dmreq(struct crypt_config *cc,
1263 				struct dm_crypt_request *dmreq)
1264 {
1265 	struct convert_context *ctx = dmreq->ctx;
1266 	struct dm_crypt_io *io = container_of(ctx, struct dm_crypt_io, ctx);
1267 
1268 	return &io->integrity_metadata[*org_tag_of_dmreq(cc, dmreq) *
1269 		cc->on_disk_tag_size];
1270 }
1271 
1272 static void *iv_tag_from_dmreq(struct crypt_config *cc,
1273 			       struct dm_crypt_request *dmreq)
1274 {
1275 	return tag_from_dmreq(cc, dmreq) + cc->integrity_tag_size;
1276 }
1277 
1278 static int crypt_convert_block_aead(struct crypt_config *cc,
1279 				     struct convert_context *ctx,
1280 				     struct aead_request *req,
1281 				     unsigned int tag_offset)
1282 {
1283 	struct bio_vec bv_in = bio_iter_iovec(ctx->bio_in, ctx->iter_in);
1284 	struct bio_vec bv_out = bio_iter_iovec(ctx->bio_out, ctx->iter_out);
1285 	struct dm_crypt_request *dmreq;
1286 	u8 *iv, *org_iv, *tag_iv, *tag;
1287 	__le64 *sector;
1288 	int r = 0;
1289 
1290 	BUG_ON(cc->integrity_iv_size && cc->integrity_iv_size != cc->iv_size);
1291 
1292 	/* Reject unexpected unaligned bio. */
1293 	if (unlikely(bv_in.bv_len & (cc->sector_size - 1)))
1294 		return -EIO;
1295 
1296 	dmreq = dmreq_of_req(cc, req);
1297 	dmreq->iv_sector = ctx->cc_sector;
1298 	if (test_bit(CRYPT_IV_LARGE_SECTORS, &cc->cipher_flags))
1299 		dmreq->iv_sector >>= cc->sector_shift;
1300 	dmreq->ctx = ctx;
1301 
1302 	*org_tag_of_dmreq(cc, dmreq) = tag_offset;
1303 
1304 	sector = org_sector_of_dmreq(cc, dmreq);
1305 	*sector = cpu_to_le64(ctx->cc_sector - cc->iv_offset);
1306 
1307 	iv = iv_of_dmreq(cc, dmreq);
1308 	org_iv = org_iv_of_dmreq(cc, dmreq);
1309 	tag = tag_from_dmreq(cc, dmreq);
1310 	tag_iv = iv_tag_from_dmreq(cc, dmreq);
1311 
1312 	/* AEAD request:
1313 	 *  |----- AAD -------|------ DATA -------|-- AUTH TAG --|
1314 	 *  | (authenticated) | (auth+encryption) |              |
1315 	 *  | sector_LE |  IV |  sector in/out    |  tag in/out  |
1316 	 */
1317 	sg_init_table(dmreq->sg_in, 4);
1318 	sg_set_buf(&dmreq->sg_in[0], sector, sizeof(uint64_t));
1319 	sg_set_buf(&dmreq->sg_in[1], org_iv, cc->iv_size);
1320 	sg_set_page(&dmreq->sg_in[2], bv_in.bv_page, cc->sector_size, bv_in.bv_offset);
1321 	sg_set_buf(&dmreq->sg_in[3], tag, cc->integrity_tag_size);
1322 
1323 	sg_init_table(dmreq->sg_out, 4);
1324 	sg_set_buf(&dmreq->sg_out[0], sector, sizeof(uint64_t));
1325 	sg_set_buf(&dmreq->sg_out[1], org_iv, cc->iv_size);
1326 	sg_set_page(&dmreq->sg_out[2], bv_out.bv_page, cc->sector_size, bv_out.bv_offset);
1327 	sg_set_buf(&dmreq->sg_out[3], tag, cc->integrity_tag_size);
1328 
1329 	if (cc->iv_gen_ops) {
1330 		/* For READs use IV stored in integrity metadata */
1331 		if (cc->integrity_iv_size && bio_data_dir(ctx->bio_in) != WRITE) {
1332 			memcpy(org_iv, tag_iv, cc->iv_size);
1333 		} else {
1334 			r = cc->iv_gen_ops->generator(cc, org_iv, dmreq);
1335 			if (r < 0)
1336 				return r;
1337 			/* Store generated IV in integrity metadata */
1338 			if (cc->integrity_iv_size)
1339 				memcpy(tag_iv, org_iv, cc->iv_size);
1340 		}
1341 		/* Working copy of IV, to be modified in crypto API */
1342 		memcpy(iv, org_iv, cc->iv_size);
1343 	}
1344 
1345 	aead_request_set_ad(req, sizeof(uint64_t) + cc->iv_size);
1346 	if (bio_data_dir(ctx->bio_in) == WRITE) {
1347 		aead_request_set_crypt(req, dmreq->sg_in, dmreq->sg_out,
1348 				       cc->sector_size, iv);
1349 		r = crypto_aead_encrypt(req);
1350 		if (cc->integrity_tag_size + cc->integrity_iv_size != cc->on_disk_tag_size)
1351 			memset(tag + cc->integrity_tag_size + cc->integrity_iv_size, 0,
1352 			       cc->on_disk_tag_size - (cc->integrity_tag_size + cc->integrity_iv_size));
1353 	} else {
1354 		aead_request_set_crypt(req, dmreq->sg_in, dmreq->sg_out,
1355 				       cc->sector_size + cc->integrity_tag_size, iv);
1356 		r = crypto_aead_decrypt(req);
1357 	}
1358 
1359 	if (r == -EBADMSG) {
1360 		char b[BDEVNAME_SIZE];
1361 		DMERR_LIMIT("%s: INTEGRITY AEAD ERROR, sector %llu", bio_devname(ctx->bio_in, b),
1362 			    (unsigned long long)le64_to_cpu(*sector));
1363 	}
1364 
1365 	if (!r && cc->iv_gen_ops && cc->iv_gen_ops->post)
1366 		r = cc->iv_gen_ops->post(cc, org_iv, dmreq);
1367 
1368 	bio_advance_iter(ctx->bio_in, &ctx->iter_in, cc->sector_size);
1369 	bio_advance_iter(ctx->bio_out, &ctx->iter_out, cc->sector_size);
1370 
1371 	return r;
1372 }
1373 
1374 static int crypt_convert_block_skcipher(struct crypt_config *cc,
1375 					struct convert_context *ctx,
1376 					struct skcipher_request *req,
1377 					unsigned int tag_offset)
1378 {
1379 	struct bio_vec bv_in = bio_iter_iovec(ctx->bio_in, ctx->iter_in);
1380 	struct bio_vec bv_out = bio_iter_iovec(ctx->bio_out, ctx->iter_out);
1381 	struct scatterlist *sg_in, *sg_out;
1382 	struct dm_crypt_request *dmreq;
1383 	u8 *iv, *org_iv, *tag_iv;
1384 	__le64 *sector;
1385 	int r = 0;
1386 
1387 	/* Reject unexpected unaligned bio. */
1388 	if (unlikely(bv_in.bv_len & (cc->sector_size - 1)))
1389 		return -EIO;
1390 
1391 	dmreq = dmreq_of_req(cc, req);
1392 	dmreq->iv_sector = ctx->cc_sector;
1393 	if (test_bit(CRYPT_IV_LARGE_SECTORS, &cc->cipher_flags))
1394 		dmreq->iv_sector >>= cc->sector_shift;
1395 	dmreq->ctx = ctx;
1396 
1397 	*org_tag_of_dmreq(cc, dmreq) = tag_offset;
1398 
1399 	iv = iv_of_dmreq(cc, dmreq);
1400 	org_iv = org_iv_of_dmreq(cc, dmreq);
1401 	tag_iv = iv_tag_from_dmreq(cc, dmreq);
1402 
1403 	sector = org_sector_of_dmreq(cc, dmreq);
1404 	*sector = cpu_to_le64(ctx->cc_sector - cc->iv_offset);
1405 
1406 	/* For skcipher we use only the first sg item */
1407 	sg_in  = &dmreq->sg_in[0];
1408 	sg_out = &dmreq->sg_out[0];
1409 
1410 	sg_init_table(sg_in, 1);
1411 	sg_set_page(sg_in, bv_in.bv_page, cc->sector_size, bv_in.bv_offset);
1412 
1413 	sg_init_table(sg_out, 1);
1414 	sg_set_page(sg_out, bv_out.bv_page, cc->sector_size, bv_out.bv_offset);
1415 
1416 	if (cc->iv_gen_ops) {
1417 		/* For READs use IV stored in integrity metadata */
1418 		if (cc->integrity_iv_size && bio_data_dir(ctx->bio_in) != WRITE) {
1419 			memcpy(org_iv, tag_iv, cc->integrity_iv_size);
1420 		} else {
1421 			r = cc->iv_gen_ops->generator(cc, org_iv, dmreq);
1422 			if (r < 0)
1423 				return r;
1424 			/* Data can be already preprocessed in generator */
1425 			if (test_bit(CRYPT_ENCRYPT_PREPROCESS, &cc->cipher_flags))
1426 				sg_in = sg_out;
1427 			/* Store generated IV in integrity metadata */
1428 			if (cc->integrity_iv_size)
1429 				memcpy(tag_iv, org_iv, cc->integrity_iv_size);
1430 		}
1431 		/* Working copy of IV, to be modified in crypto API */
1432 		memcpy(iv, org_iv, cc->iv_size);
1433 	}
1434 
1435 	skcipher_request_set_crypt(req, sg_in, sg_out, cc->sector_size, iv);
1436 
1437 	if (bio_data_dir(ctx->bio_in) == WRITE)
1438 		r = crypto_skcipher_encrypt(req);
1439 	else
1440 		r = crypto_skcipher_decrypt(req);
1441 
1442 	if (!r && cc->iv_gen_ops && cc->iv_gen_ops->post)
1443 		r = cc->iv_gen_ops->post(cc, org_iv, dmreq);
1444 
1445 	bio_advance_iter(ctx->bio_in, &ctx->iter_in, cc->sector_size);
1446 	bio_advance_iter(ctx->bio_out, &ctx->iter_out, cc->sector_size);
1447 
1448 	return r;
1449 }
1450 
1451 static void kcryptd_async_done(struct crypto_async_request *async_req,
1452 			       int error);
1453 
1454 static void crypt_alloc_req_skcipher(struct crypt_config *cc,
1455 				     struct convert_context *ctx)
1456 {
1457 	unsigned key_index = ctx->cc_sector & (cc->tfms_count - 1);
1458 
1459 	if (!ctx->r.req)
1460 		ctx->r.req = mempool_alloc(&cc->req_pool, GFP_NOIO);
1461 
1462 	skcipher_request_set_tfm(ctx->r.req, cc->cipher_tfm.tfms[key_index]);
1463 
1464 	/*
1465 	 * Use REQ_MAY_BACKLOG so a cipher driver internally backlogs
1466 	 * requests if driver request queue is full.
1467 	 */
1468 	skcipher_request_set_callback(ctx->r.req,
1469 	    CRYPTO_TFM_REQ_MAY_BACKLOG,
1470 	    kcryptd_async_done, dmreq_of_req(cc, ctx->r.req));
1471 }
1472 
1473 static void crypt_alloc_req_aead(struct crypt_config *cc,
1474 				 struct convert_context *ctx)
1475 {
1476 	if (!ctx->r.req_aead)
1477 		ctx->r.req_aead = mempool_alloc(&cc->req_pool, GFP_NOIO);
1478 
1479 	aead_request_set_tfm(ctx->r.req_aead, cc->cipher_tfm.tfms_aead[0]);
1480 
1481 	/*
1482 	 * Use REQ_MAY_BACKLOG so a cipher driver internally backlogs
1483 	 * requests if driver request queue is full.
1484 	 */
1485 	aead_request_set_callback(ctx->r.req_aead,
1486 	    CRYPTO_TFM_REQ_MAY_BACKLOG,
1487 	    kcryptd_async_done, dmreq_of_req(cc, ctx->r.req_aead));
1488 }
1489 
1490 static void crypt_alloc_req(struct crypt_config *cc,
1491 			    struct convert_context *ctx)
1492 {
1493 	if (crypt_integrity_aead(cc))
1494 		crypt_alloc_req_aead(cc, ctx);
1495 	else
1496 		crypt_alloc_req_skcipher(cc, ctx);
1497 }
1498 
1499 static void crypt_free_req_skcipher(struct crypt_config *cc,
1500 				    struct skcipher_request *req, struct bio *base_bio)
1501 {
1502 	struct dm_crypt_io *io = dm_per_bio_data(base_bio, cc->per_bio_data_size);
1503 
1504 	if ((struct skcipher_request *)(io + 1) != req)
1505 		mempool_free(req, &cc->req_pool);
1506 }
1507 
1508 static void crypt_free_req_aead(struct crypt_config *cc,
1509 				struct aead_request *req, struct bio *base_bio)
1510 {
1511 	struct dm_crypt_io *io = dm_per_bio_data(base_bio, cc->per_bio_data_size);
1512 
1513 	if ((struct aead_request *)(io + 1) != req)
1514 		mempool_free(req, &cc->req_pool);
1515 }
1516 
1517 static void crypt_free_req(struct crypt_config *cc, void *req, struct bio *base_bio)
1518 {
1519 	if (crypt_integrity_aead(cc))
1520 		crypt_free_req_aead(cc, req, base_bio);
1521 	else
1522 		crypt_free_req_skcipher(cc, req, base_bio);
1523 }
1524 
1525 /*
1526  * Encrypt / decrypt data from one bio to another one (can be the same one)
1527  */
1528 static blk_status_t crypt_convert(struct crypt_config *cc,
1529 			 struct convert_context *ctx, bool atomic)
1530 {
1531 	unsigned int tag_offset = 0;
1532 	unsigned int sector_step = cc->sector_size >> SECTOR_SHIFT;
1533 	int r;
1534 
1535 	atomic_set(&ctx->cc_pending, 1);
1536 
1537 	while (ctx->iter_in.bi_size && ctx->iter_out.bi_size) {
1538 
1539 		crypt_alloc_req(cc, ctx);
1540 		atomic_inc(&ctx->cc_pending);
1541 
1542 		if (crypt_integrity_aead(cc))
1543 			r = crypt_convert_block_aead(cc, ctx, ctx->r.req_aead, tag_offset);
1544 		else
1545 			r = crypt_convert_block_skcipher(cc, ctx, ctx->r.req, tag_offset);
1546 
1547 		switch (r) {
1548 		/*
1549 		 * The request was queued by a crypto driver
1550 		 * but the driver request queue is full, let's wait.
1551 		 */
1552 		case -EBUSY:
1553 			wait_for_completion(&ctx->restart);
1554 			reinit_completion(&ctx->restart);
1555 			/* fall through */
1556 		/*
1557 		 * The request is queued and processed asynchronously,
1558 		 * completion function kcryptd_async_done() will be called.
1559 		 */
1560 		case -EINPROGRESS:
1561 			ctx->r.req = NULL;
1562 			ctx->cc_sector += sector_step;
1563 			tag_offset++;
1564 			continue;
1565 		/*
1566 		 * The request was already processed (synchronously).
1567 		 */
1568 		case 0:
1569 			atomic_dec(&ctx->cc_pending);
1570 			ctx->cc_sector += sector_step;
1571 			tag_offset++;
1572 			if (!atomic)
1573 				cond_resched();
1574 			continue;
1575 		/*
1576 		 * There was a data integrity error.
1577 		 */
1578 		case -EBADMSG:
1579 			atomic_dec(&ctx->cc_pending);
1580 			return BLK_STS_PROTECTION;
1581 		/*
1582 		 * There was an error while processing the request.
1583 		 */
1584 		default:
1585 			atomic_dec(&ctx->cc_pending);
1586 			return BLK_STS_IOERR;
1587 		}
1588 	}
1589 
1590 	return 0;
1591 }
1592 
1593 static void crypt_free_buffer_pages(struct crypt_config *cc, struct bio *clone);
1594 
1595 /*
1596  * Generate a new unfragmented bio with the given size
1597  * This should never violate the device limitations (but only because
1598  * max_segment_size is being constrained to PAGE_SIZE).
1599  *
1600  * This function may be called concurrently. If we allocate from the mempool
1601  * concurrently, there is a possibility of deadlock. For example, if we have
1602  * mempool of 256 pages, two processes, each wanting 256, pages allocate from
1603  * the mempool concurrently, it may deadlock in a situation where both processes
1604  * have allocated 128 pages and the mempool is exhausted.
1605  *
1606  * In order to avoid this scenario we allocate the pages under a mutex.
1607  *
1608  * In order to not degrade performance with excessive locking, we try
1609  * non-blocking allocations without a mutex first but on failure we fallback
1610  * to blocking allocations with a mutex.
1611  */
1612 static struct bio *crypt_alloc_buffer(struct dm_crypt_io *io, unsigned size)
1613 {
1614 	struct crypt_config *cc = io->cc;
1615 	struct bio *clone;
1616 	unsigned int nr_iovecs = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
1617 	gfp_t gfp_mask = GFP_NOWAIT | __GFP_HIGHMEM;
1618 	unsigned i, len, remaining_size;
1619 	struct page *page;
1620 
1621 retry:
1622 	if (unlikely(gfp_mask & __GFP_DIRECT_RECLAIM))
1623 		mutex_lock(&cc->bio_alloc_lock);
1624 
1625 	clone = bio_alloc_bioset(GFP_NOIO, nr_iovecs, &cc->bs);
1626 	if (!clone)
1627 		goto out;
1628 
1629 	clone_init(io, clone);
1630 
1631 	remaining_size = size;
1632 
1633 	for (i = 0; i < nr_iovecs; i++) {
1634 		page = mempool_alloc(&cc->page_pool, gfp_mask);
1635 		if (!page) {
1636 			crypt_free_buffer_pages(cc, clone);
1637 			bio_put(clone);
1638 			gfp_mask |= __GFP_DIRECT_RECLAIM;
1639 			goto retry;
1640 		}
1641 
1642 		len = (remaining_size > PAGE_SIZE) ? PAGE_SIZE : remaining_size;
1643 
1644 		bio_add_page(clone, page, len, 0);
1645 
1646 		remaining_size -= len;
1647 	}
1648 
1649 	/* Allocate space for integrity tags */
1650 	if (dm_crypt_integrity_io_alloc(io, clone)) {
1651 		crypt_free_buffer_pages(cc, clone);
1652 		bio_put(clone);
1653 		clone = NULL;
1654 	}
1655 out:
1656 	if (unlikely(gfp_mask & __GFP_DIRECT_RECLAIM))
1657 		mutex_unlock(&cc->bio_alloc_lock);
1658 
1659 	return clone;
1660 }
1661 
1662 static void crypt_free_buffer_pages(struct crypt_config *cc, struct bio *clone)
1663 {
1664 	struct bio_vec *bv;
1665 	struct bvec_iter_all iter_all;
1666 
1667 	bio_for_each_segment_all(bv, clone, iter_all) {
1668 		BUG_ON(!bv->bv_page);
1669 		mempool_free(bv->bv_page, &cc->page_pool);
1670 	}
1671 }
1672 
1673 static void crypt_io_init(struct dm_crypt_io *io, struct crypt_config *cc,
1674 			  struct bio *bio, sector_t sector)
1675 {
1676 	io->cc = cc;
1677 	io->base_bio = bio;
1678 	io->sector = sector;
1679 	io->error = 0;
1680 	io->ctx.r.req = NULL;
1681 	io->integrity_metadata = NULL;
1682 	io->integrity_metadata_from_pool = false;
1683 	atomic_set(&io->io_pending, 0);
1684 }
1685 
1686 static void crypt_inc_pending(struct dm_crypt_io *io)
1687 {
1688 	atomic_inc(&io->io_pending);
1689 }
1690 
1691 /*
1692  * One of the bios was finished. Check for completion of
1693  * the whole request and correctly clean up the buffer.
1694  */
1695 static void crypt_dec_pending(struct dm_crypt_io *io)
1696 {
1697 	struct crypt_config *cc = io->cc;
1698 	struct bio *base_bio = io->base_bio;
1699 	blk_status_t error = io->error;
1700 
1701 	if (!atomic_dec_and_test(&io->io_pending))
1702 		return;
1703 
1704 	if (io->ctx.r.req)
1705 		crypt_free_req(cc, io->ctx.r.req, base_bio);
1706 
1707 	if (unlikely(io->integrity_metadata_from_pool))
1708 		mempool_free(io->integrity_metadata, &io->cc->tag_pool);
1709 	else
1710 		kfree(io->integrity_metadata);
1711 
1712 	base_bio->bi_status = error;
1713 	bio_endio(base_bio);
1714 }
1715 
1716 /*
1717  * kcryptd/kcryptd_io:
1718  *
1719  * Needed because it would be very unwise to do decryption in an
1720  * interrupt context.
1721  *
1722  * kcryptd performs the actual encryption or decryption.
1723  *
1724  * kcryptd_io performs the IO submission.
1725  *
1726  * They must be separated as otherwise the final stages could be
1727  * starved by new requests which can block in the first stages due
1728  * to memory allocation.
1729  *
1730  * The work is done per CPU global for all dm-crypt instances.
1731  * They should not depend on each other and do not block.
1732  */
1733 static void crypt_endio(struct bio *clone)
1734 {
1735 	struct dm_crypt_io *io = clone->bi_private;
1736 	struct crypt_config *cc = io->cc;
1737 	unsigned rw = bio_data_dir(clone);
1738 	blk_status_t error;
1739 
1740 	/*
1741 	 * free the processed pages
1742 	 */
1743 	if (rw == WRITE)
1744 		crypt_free_buffer_pages(cc, clone);
1745 
1746 	error = clone->bi_status;
1747 	bio_put(clone);
1748 
1749 	if (rw == READ && !error) {
1750 		kcryptd_queue_crypt(io);
1751 		return;
1752 	}
1753 
1754 	if (unlikely(error))
1755 		io->error = error;
1756 
1757 	crypt_dec_pending(io);
1758 }
1759 
1760 static void clone_init(struct dm_crypt_io *io, struct bio *clone)
1761 {
1762 	struct crypt_config *cc = io->cc;
1763 
1764 	clone->bi_private = io;
1765 	clone->bi_end_io  = crypt_endio;
1766 	bio_set_dev(clone, cc->dev->bdev);
1767 	clone->bi_opf	  = io->base_bio->bi_opf;
1768 }
1769 
1770 static int kcryptd_io_read(struct dm_crypt_io *io, gfp_t gfp)
1771 {
1772 	struct crypt_config *cc = io->cc;
1773 	struct bio *clone;
1774 
1775 	/*
1776 	 * We need the original biovec array in order to decrypt
1777 	 * the whole bio data *afterwards* -- thanks to immutable
1778 	 * biovecs we don't need to worry about the block layer
1779 	 * modifying the biovec array; so leverage bio_clone_fast().
1780 	 */
1781 	clone = bio_clone_fast(io->base_bio, gfp, &cc->bs);
1782 	if (!clone)
1783 		return 1;
1784 
1785 	crypt_inc_pending(io);
1786 
1787 	clone_init(io, clone);
1788 	clone->bi_iter.bi_sector = cc->start + io->sector;
1789 
1790 	if (dm_crypt_integrity_io_alloc(io, clone)) {
1791 		crypt_dec_pending(io);
1792 		bio_put(clone);
1793 		return 1;
1794 	}
1795 
1796 	submit_bio_noacct(clone);
1797 	return 0;
1798 }
1799 
1800 static void kcryptd_io_read_work(struct work_struct *work)
1801 {
1802 	struct dm_crypt_io *io = container_of(work, struct dm_crypt_io, work);
1803 
1804 	crypt_inc_pending(io);
1805 	if (kcryptd_io_read(io, GFP_NOIO))
1806 		io->error = BLK_STS_RESOURCE;
1807 	crypt_dec_pending(io);
1808 }
1809 
1810 static void kcryptd_queue_read(struct dm_crypt_io *io)
1811 {
1812 	struct crypt_config *cc = io->cc;
1813 
1814 	INIT_WORK(&io->work, kcryptd_io_read_work);
1815 	queue_work(cc->io_queue, &io->work);
1816 }
1817 
1818 static void kcryptd_io_write(struct dm_crypt_io *io)
1819 {
1820 	struct bio *clone = io->ctx.bio_out;
1821 
1822 	submit_bio_noacct(clone);
1823 }
1824 
1825 #define crypt_io_from_node(node) rb_entry((node), struct dm_crypt_io, rb_node)
1826 
1827 static int dmcrypt_write(void *data)
1828 {
1829 	struct crypt_config *cc = data;
1830 	struct dm_crypt_io *io;
1831 
1832 	while (1) {
1833 		struct rb_root write_tree;
1834 		struct blk_plug plug;
1835 
1836 		spin_lock_irq(&cc->write_thread_lock);
1837 continue_locked:
1838 
1839 		if (!RB_EMPTY_ROOT(&cc->write_tree))
1840 			goto pop_from_list;
1841 
1842 		set_current_state(TASK_INTERRUPTIBLE);
1843 
1844 		spin_unlock_irq(&cc->write_thread_lock);
1845 
1846 		if (unlikely(kthread_should_stop())) {
1847 			set_current_state(TASK_RUNNING);
1848 			break;
1849 		}
1850 
1851 		schedule();
1852 
1853 		set_current_state(TASK_RUNNING);
1854 		spin_lock_irq(&cc->write_thread_lock);
1855 		goto continue_locked;
1856 
1857 pop_from_list:
1858 		write_tree = cc->write_tree;
1859 		cc->write_tree = RB_ROOT;
1860 		spin_unlock_irq(&cc->write_thread_lock);
1861 
1862 		BUG_ON(rb_parent(write_tree.rb_node));
1863 
1864 		/*
1865 		 * Note: we cannot walk the tree here with rb_next because
1866 		 * the structures may be freed when kcryptd_io_write is called.
1867 		 */
1868 		blk_start_plug(&plug);
1869 		do {
1870 			io = crypt_io_from_node(rb_first(&write_tree));
1871 			rb_erase(&io->rb_node, &write_tree);
1872 			kcryptd_io_write(io);
1873 		} while (!RB_EMPTY_ROOT(&write_tree));
1874 		blk_finish_plug(&plug);
1875 	}
1876 	return 0;
1877 }
1878 
1879 static void kcryptd_crypt_write_io_submit(struct dm_crypt_io *io, int async)
1880 {
1881 	struct bio *clone = io->ctx.bio_out;
1882 	struct crypt_config *cc = io->cc;
1883 	unsigned long flags;
1884 	sector_t sector;
1885 	struct rb_node **rbp, *parent;
1886 
1887 	if (unlikely(io->error)) {
1888 		crypt_free_buffer_pages(cc, clone);
1889 		bio_put(clone);
1890 		crypt_dec_pending(io);
1891 		return;
1892 	}
1893 
1894 	/* crypt_convert should have filled the clone bio */
1895 	BUG_ON(io->ctx.iter_out.bi_size);
1896 
1897 	clone->bi_iter.bi_sector = cc->start + io->sector;
1898 
1899 	if ((likely(!async) && test_bit(DM_CRYPT_NO_OFFLOAD, &cc->flags)) ||
1900 	    test_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags)) {
1901 		submit_bio_noacct(clone);
1902 		return;
1903 	}
1904 
1905 	spin_lock_irqsave(&cc->write_thread_lock, flags);
1906 	if (RB_EMPTY_ROOT(&cc->write_tree))
1907 		wake_up_process(cc->write_thread);
1908 	rbp = &cc->write_tree.rb_node;
1909 	parent = NULL;
1910 	sector = io->sector;
1911 	while (*rbp) {
1912 		parent = *rbp;
1913 		if (sector < crypt_io_from_node(parent)->sector)
1914 			rbp = &(*rbp)->rb_left;
1915 		else
1916 			rbp = &(*rbp)->rb_right;
1917 	}
1918 	rb_link_node(&io->rb_node, parent, rbp);
1919 	rb_insert_color(&io->rb_node, &cc->write_tree);
1920 	spin_unlock_irqrestore(&cc->write_thread_lock, flags);
1921 }
1922 
1923 static bool kcryptd_crypt_write_inline(struct crypt_config *cc,
1924 				       struct convert_context *ctx)
1925 
1926 {
1927 	if (!test_bit(DM_CRYPT_WRITE_INLINE, &cc->flags))
1928 		return false;
1929 
1930 	/*
1931 	 * Note: zone append writes (REQ_OP_ZONE_APPEND) do not have ordering
1932 	 * constraints so they do not need to be issued inline by
1933 	 * kcryptd_crypt_write_convert().
1934 	 */
1935 	switch (bio_op(ctx->bio_in)) {
1936 	case REQ_OP_WRITE:
1937 	case REQ_OP_WRITE_SAME:
1938 	case REQ_OP_WRITE_ZEROES:
1939 		return true;
1940 	default:
1941 		return false;
1942 	}
1943 }
1944 
1945 static void kcryptd_crypt_write_convert(struct dm_crypt_io *io)
1946 {
1947 	struct crypt_config *cc = io->cc;
1948 	struct convert_context *ctx = &io->ctx;
1949 	struct bio *clone;
1950 	int crypt_finished;
1951 	sector_t sector = io->sector;
1952 	blk_status_t r;
1953 
1954 	/*
1955 	 * Prevent io from disappearing until this function completes.
1956 	 */
1957 	crypt_inc_pending(io);
1958 	crypt_convert_init(cc, ctx, NULL, io->base_bio, sector);
1959 
1960 	clone = crypt_alloc_buffer(io, io->base_bio->bi_iter.bi_size);
1961 	if (unlikely(!clone)) {
1962 		io->error = BLK_STS_IOERR;
1963 		goto dec;
1964 	}
1965 
1966 	io->ctx.bio_out = clone;
1967 	io->ctx.iter_out = clone->bi_iter;
1968 
1969 	sector += bio_sectors(clone);
1970 
1971 	crypt_inc_pending(io);
1972 	r = crypt_convert(cc, ctx,
1973 			  test_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags));
1974 	if (r)
1975 		io->error = r;
1976 	crypt_finished = atomic_dec_and_test(&ctx->cc_pending);
1977 	if (!crypt_finished && kcryptd_crypt_write_inline(cc, ctx)) {
1978 		/* Wait for completion signaled by kcryptd_async_done() */
1979 		wait_for_completion(&ctx->restart);
1980 		crypt_finished = 1;
1981 	}
1982 
1983 	/* Encryption was already finished, submit io now */
1984 	if (crypt_finished) {
1985 		kcryptd_crypt_write_io_submit(io, 0);
1986 		io->sector = sector;
1987 	}
1988 
1989 dec:
1990 	crypt_dec_pending(io);
1991 }
1992 
1993 static void kcryptd_crypt_read_done(struct dm_crypt_io *io)
1994 {
1995 	crypt_dec_pending(io);
1996 }
1997 
1998 static void kcryptd_crypt_read_convert(struct dm_crypt_io *io)
1999 {
2000 	struct crypt_config *cc = io->cc;
2001 	blk_status_t r;
2002 
2003 	crypt_inc_pending(io);
2004 
2005 	crypt_convert_init(cc, &io->ctx, io->base_bio, io->base_bio,
2006 			   io->sector);
2007 
2008 	r = crypt_convert(cc, &io->ctx,
2009 			  test_bit(DM_CRYPT_NO_READ_WORKQUEUE, &cc->flags));
2010 	if (r)
2011 		io->error = r;
2012 
2013 	if (atomic_dec_and_test(&io->ctx.cc_pending))
2014 		kcryptd_crypt_read_done(io);
2015 
2016 	crypt_dec_pending(io);
2017 }
2018 
2019 static void kcryptd_async_done(struct crypto_async_request *async_req,
2020 			       int error)
2021 {
2022 	struct dm_crypt_request *dmreq = async_req->data;
2023 	struct convert_context *ctx = dmreq->ctx;
2024 	struct dm_crypt_io *io = container_of(ctx, struct dm_crypt_io, ctx);
2025 	struct crypt_config *cc = io->cc;
2026 
2027 	/*
2028 	 * A request from crypto driver backlog is going to be processed now,
2029 	 * finish the completion and continue in crypt_convert().
2030 	 * (Callback will be called for the second time for this request.)
2031 	 */
2032 	if (error == -EINPROGRESS) {
2033 		complete(&ctx->restart);
2034 		return;
2035 	}
2036 
2037 	if (!error && cc->iv_gen_ops && cc->iv_gen_ops->post)
2038 		error = cc->iv_gen_ops->post(cc, org_iv_of_dmreq(cc, dmreq), dmreq);
2039 
2040 	if (error == -EBADMSG) {
2041 		char b[BDEVNAME_SIZE];
2042 		DMERR_LIMIT("%s: INTEGRITY AEAD ERROR, sector %llu", bio_devname(ctx->bio_in, b),
2043 			    (unsigned long long)le64_to_cpu(*org_sector_of_dmreq(cc, dmreq)));
2044 		io->error = BLK_STS_PROTECTION;
2045 	} else if (error < 0)
2046 		io->error = BLK_STS_IOERR;
2047 
2048 	crypt_free_req(cc, req_of_dmreq(cc, dmreq), io->base_bio);
2049 
2050 	if (!atomic_dec_and_test(&ctx->cc_pending))
2051 		return;
2052 
2053 	/*
2054 	 * The request is fully completed: for inline writes, let
2055 	 * kcryptd_crypt_write_convert() do the IO submission.
2056 	 */
2057 	if (bio_data_dir(io->base_bio) == READ) {
2058 		kcryptd_crypt_read_done(io);
2059 		return;
2060 	}
2061 
2062 	if (kcryptd_crypt_write_inline(cc, ctx)) {
2063 		complete(&ctx->restart);
2064 		return;
2065 	}
2066 
2067 	kcryptd_crypt_write_io_submit(io, 1);
2068 }
2069 
2070 static void kcryptd_crypt(struct work_struct *work)
2071 {
2072 	struct dm_crypt_io *io = container_of(work, struct dm_crypt_io, work);
2073 
2074 	if (bio_data_dir(io->base_bio) == READ)
2075 		kcryptd_crypt_read_convert(io);
2076 	else
2077 		kcryptd_crypt_write_convert(io);
2078 }
2079 
2080 static void kcryptd_crypt_tasklet(unsigned long work)
2081 {
2082 	kcryptd_crypt((struct work_struct *)work);
2083 }
2084 
2085 static void kcryptd_queue_crypt(struct dm_crypt_io *io)
2086 {
2087 	struct crypt_config *cc = io->cc;
2088 
2089 	if ((bio_data_dir(io->base_bio) == READ && test_bit(DM_CRYPT_NO_READ_WORKQUEUE, &cc->flags)) ||
2090 	    (bio_data_dir(io->base_bio) == WRITE && test_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags))) {
2091 		if (in_irq()) {
2092 			/* Crypto API's "skcipher_walk_first() refuses to work in hard IRQ context */
2093 			tasklet_init(&io->tasklet, kcryptd_crypt_tasklet, (unsigned long)&io->work);
2094 			tasklet_schedule(&io->tasklet);
2095 			return;
2096 		}
2097 
2098 		kcryptd_crypt(&io->work);
2099 		return;
2100 	}
2101 
2102 	INIT_WORK(&io->work, kcryptd_crypt);
2103 	queue_work(cc->crypt_queue, &io->work);
2104 }
2105 
2106 static void crypt_free_tfms_aead(struct crypt_config *cc)
2107 {
2108 	if (!cc->cipher_tfm.tfms_aead)
2109 		return;
2110 
2111 	if (cc->cipher_tfm.tfms_aead[0] && !IS_ERR(cc->cipher_tfm.tfms_aead[0])) {
2112 		crypto_free_aead(cc->cipher_tfm.tfms_aead[0]);
2113 		cc->cipher_tfm.tfms_aead[0] = NULL;
2114 	}
2115 
2116 	kfree(cc->cipher_tfm.tfms_aead);
2117 	cc->cipher_tfm.tfms_aead = NULL;
2118 }
2119 
2120 static void crypt_free_tfms_skcipher(struct crypt_config *cc)
2121 {
2122 	unsigned i;
2123 
2124 	if (!cc->cipher_tfm.tfms)
2125 		return;
2126 
2127 	for (i = 0; i < cc->tfms_count; i++)
2128 		if (cc->cipher_tfm.tfms[i] && !IS_ERR(cc->cipher_tfm.tfms[i])) {
2129 			crypto_free_skcipher(cc->cipher_tfm.tfms[i]);
2130 			cc->cipher_tfm.tfms[i] = NULL;
2131 		}
2132 
2133 	kfree(cc->cipher_tfm.tfms);
2134 	cc->cipher_tfm.tfms = NULL;
2135 }
2136 
2137 static void crypt_free_tfms(struct crypt_config *cc)
2138 {
2139 	if (crypt_integrity_aead(cc))
2140 		crypt_free_tfms_aead(cc);
2141 	else
2142 		crypt_free_tfms_skcipher(cc);
2143 }
2144 
2145 static int crypt_alloc_tfms_skcipher(struct crypt_config *cc, char *ciphermode)
2146 {
2147 	unsigned i;
2148 	int err;
2149 
2150 	cc->cipher_tfm.tfms = kcalloc(cc->tfms_count,
2151 				      sizeof(struct crypto_skcipher *),
2152 				      GFP_KERNEL);
2153 	if (!cc->cipher_tfm.tfms)
2154 		return -ENOMEM;
2155 
2156 	for (i = 0; i < cc->tfms_count; i++) {
2157 		cc->cipher_tfm.tfms[i] = crypto_alloc_skcipher(ciphermode, 0, 0);
2158 		if (IS_ERR(cc->cipher_tfm.tfms[i])) {
2159 			err = PTR_ERR(cc->cipher_tfm.tfms[i]);
2160 			crypt_free_tfms(cc);
2161 			return err;
2162 		}
2163 	}
2164 
2165 	/*
2166 	 * dm-crypt performance can vary greatly depending on which crypto
2167 	 * algorithm implementation is used.  Help people debug performance
2168 	 * problems by logging the ->cra_driver_name.
2169 	 */
2170 	DMDEBUG_LIMIT("%s using implementation \"%s\"", ciphermode,
2171 	       crypto_skcipher_alg(any_tfm(cc))->base.cra_driver_name);
2172 	return 0;
2173 }
2174 
2175 static int crypt_alloc_tfms_aead(struct crypt_config *cc, char *ciphermode)
2176 {
2177 	int err;
2178 
2179 	cc->cipher_tfm.tfms = kmalloc(sizeof(struct crypto_aead *), GFP_KERNEL);
2180 	if (!cc->cipher_tfm.tfms)
2181 		return -ENOMEM;
2182 
2183 	cc->cipher_tfm.tfms_aead[0] = crypto_alloc_aead(ciphermode, 0, 0);
2184 	if (IS_ERR(cc->cipher_tfm.tfms_aead[0])) {
2185 		err = PTR_ERR(cc->cipher_tfm.tfms_aead[0]);
2186 		crypt_free_tfms(cc);
2187 		return err;
2188 	}
2189 
2190 	DMDEBUG_LIMIT("%s using implementation \"%s\"", ciphermode,
2191 	       crypto_aead_alg(any_tfm_aead(cc))->base.cra_driver_name);
2192 	return 0;
2193 }
2194 
2195 static int crypt_alloc_tfms(struct crypt_config *cc, char *ciphermode)
2196 {
2197 	if (crypt_integrity_aead(cc))
2198 		return crypt_alloc_tfms_aead(cc, ciphermode);
2199 	else
2200 		return crypt_alloc_tfms_skcipher(cc, ciphermode);
2201 }
2202 
2203 static unsigned crypt_subkey_size(struct crypt_config *cc)
2204 {
2205 	return (cc->key_size - cc->key_extra_size) >> ilog2(cc->tfms_count);
2206 }
2207 
2208 static unsigned crypt_authenckey_size(struct crypt_config *cc)
2209 {
2210 	return crypt_subkey_size(cc) + RTA_SPACE(sizeof(struct crypto_authenc_key_param));
2211 }
2212 
2213 /*
2214  * If AEAD is composed like authenc(hmac(sha256),xts(aes)),
2215  * the key must be for some reason in special format.
2216  * This funcion converts cc->key to this special format.
2217  */
2218 static void crypt_copy_authenckey(char *p, const void *key,
2219 				  unsigned enckeylen, unsigned authkeylen)
2220 {
2221 	struct crypto_authenc_key_param *param;
2222 	struct rtattr *rta;
2223 
2224 	rta = (struct rtattr *)p;
2225 	param = RTA_DATA(rta);
2226 	param->enckeylen = cpu_to_be32(enckeylen);
2227 	rta->rta_len = RTA_LENGTH(sizeof(*param));
2228 	rta->rta_type = CRYPTO_AUTHENC_KEYA_PARAM;
2229 	p += RTA_SPACE(sizeof(*param));
2230 	memcpy(p, key + enckeylen, authkeylen);
2231 	p += authkeylen;
2232 	memcpy(p, key, enckeylen);
2233 }
2234 
2235 static int crypt_setkey(struct crypt_config *cc)
2236 {
2237 	unsigned subkey_size;
2238 	int err = 0, i, r;
2239 
2240 	/* Ignore extra keys (which are used for IV etc) */
2241 	subkey_size = crypt_subkey_size(cc);
2242 
2243 	if (crypt_integrity_hmac(cc)) {
2244 		if (subkey_size < cc->key_mac_size)
2245 			return -EINVAL;
2246 
2247 		crypt_copy_authenckey(cc->authenc_key, cc->key,
2248 				      subkey_size - cc->key_mac_size,
2249 				      cc->key_mac_size);
2250 	}
2251 
2252 	for (i = 0; i < cc->tfms_count; i++) {
2253 		if (crypt_integrity_hmac(cc))
2254 			r = crypto_aead_setkey(cc->cipher_tfm.tfms_aead[i],
2255 				cc->authenc_key, crypt_authenckey_size(cc));
2256 		else if (crypt_integrity_aead(cc))
2257 			r = crypto_aead_setkey(cc->cipher_tfm.tfms_aead[i],
2258 					       cc->key + (i * subkey_size),
2259 					       subkey_size);
2260 		else
2261 			r = crypto_skcipher_setkey(cc->cipher_tfm.tfms[i],
2262 						   cc->key + (i * subkey_size),
2263 						   subkey_size);
2264 		if (r)
2265 			err = r;
2266 	}
2267 
2268 	if (crypt_integrity_hmac(cc))
2269 		memzero_explicit(cc->authenc_key, crypt_authenckey_size(cc));
2270 
2271 	return err;
2272 }
2273 
2274 #ifdef CONFIG_KEYS
2275 
2276 static bool contains_whitespace(const char *str)
2277 {
2278 	while (*str)
2279 		if (isspace(*str++))
2280 			return true;
2281 	return false;
2282 }
2283 
2284 static int set_key_user(struct crypt_config *cc, struct key *key)
2285 {
2286 	const struct user_key_payload *ukp;
2287 
2288 	ukp = user_key_payload_locked(key);
2289 	if (!ukp)
2290 		return -EKEYREVOKED;
2291 
2292 	if (cc->key_size != ukp->datalen)
2293 		return -EINVAL;
2294 
2295 	memcpy(cc->key, ukp->data, cc->key_size);
2296 
2297 	return 0;
2298 }
2299 
2300 #if defined(CONFIG_ENCRYPTED_KEYS) || defined(CONFIG_ENCRYPTED_KEYS_MODULE)
2301 static int set_key_encrypted(struct crypt_config *cc, struct key *key)
2302 {
2303 	const struct encrypted_key_payload *ekp;
2304 
2305 	ekp = key->payload.data[0];
2306 	if (!ekp)
2307 		return -EKEYREVOKED;
2308 
2309 	if (cc->key_size != ekp->decrypted_datalen)
2310 		return -EINVAL;
2311 
2312 	memcpy(cc->key, ekp->decrypted_data, cc->key_size);
2313 
2314 	return 0;
2315 }
2316 #endif /* CONFIG_ENCRYPTED_KEYS */
2317 
2318 static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string)
2319 {
2320 	char *new_key_string, *key_desc;
2321 	int ret;
2322 	struct key_type *type;
2323 	struct key *key;
2324 	int (*set_key)(struct crypt_config *cc, struct key *key);
2325 
2326 	/*
2327 	 * Reject key_string with whitespace. dm core currently lacks code for
2328 	 * proper whitespace escaping in arguments on DM_TABLE_STATUS path.
2329 	 */
2330 	if (contains_whitespace(key_string)) {
2331 		DMERR("whitespace chars not allowed in key string");
2332 		return -EINVAL;
2333 	}
2334 
2335 	/* look for next ':' separating key_type from key_description */
2336 	key_desc = strpbrk(key_string, ":");
2337 	if (!key_desc || key_desc == key_string || !strlen(key_desc + 1))
2338 		return -EINVAL;
2339 
2340 	if (!strncmp(key_string, "logon:", key_desc - key_string + 1)) {
2341 		type = &key_type_logon;
2342 		set_key = set_key_user;
2343 	} else if (!strncmp(key_string, "user:", key_desc - key_string + 1)) {
2344 		type = &key_type_user;
2345 		set_key = set_key_user;
2346 #if defined(CONFIG_ENCRYPTED_KEYS) || defined(CONFIG_ENCRYPTED_KEYS_MODULE)
2347 	} else if (!strncmp(key_string, "encrypted:", key_desc - key_string + 1)) {
2348 		type = &key_type_encrypted;
2349 		set_key = set_key_encrypted;
2350 #endif
2351 	} else {
2352 		return -EINVAL;
2353 	}
2354 
2355 	new_key_string = kstrdup(key_string, GFP_KERNEL);
2356 	if (!new_key_string)
2357 		return -ENOMEM;
2358 
2359 	key = request_key(type, key_desc + 1, NULL);
2360 	if (IS_ERR(key)) {
2361 		kfree_sensitive(new_key_string);
2362 		return PTR_ERR(key);
2363 	}
2364 
2365 	down_read(&key->sem);
2366 
2367 	ret = set_key(cc, key);
2368 	if (ret < 0) {
2369 		up_read(&key->sem);
2370 		key_put(key);
2371 		kfree_sensitive(new_key_string);
2372 		return ret;
2373 	}
2374 
2375 	up_read(&key->sem);
2376 	key_put(key);
2377 
2378 	/* clear the flag since following operations may invalidate previously valid key */
2379 	clear_bit(DM_CRYPT_KEY_VALID, &cc->flags);
2380 
2381 	ret = crypt_setkey(cc);
2382 
2383 	if (!ret) {
2384 		set_bit(DM_CRYPT_KEY_VALID, &cc->flags);
2385 		kfree_sensitive(cc->key_string);
2386 		cc->key_string = new_key_string;
2387 	} else
2388 		kfree_sensitive(new_key_string);
2389 
2390 	return ret;
2391 }
2392 
2393 static int get_key_size(char **key_string)
2394 {
2395 	char *colon, dummy;
2396 	int ret;
2397 
2398 	if (*key_string[0] != ':')
2399 		return strlen(*key_string) >> 1;
2400 
2401 	/* look for next ':' in key string */
2402 	colon = strpbrk(*key_string + 1, ":");
2403 	if (!colon)
2404 		return -EINVAL;
2405 
2406 	if (sscanf(*key_string + 1, "%u%c", &ret, &dummy) != 2 || dummy != ':')
2407 		return -EINVAL;
2408 
2409 	*key_string = colon;
2410 
2411 	/* remaining key string should be :<logon|user>:<key_desc> */
2412 
2413 	return ret;
2414 }
2415 
2416 #else
2417 
2418 static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string)
2419 {
2420 	return -EINVAL;
2421 }
2422 
2423 static int get_key_size(char **key_string)
2424 {
2425 	return (*key_string[0] == ':') ? -EINVAL : strlen(*key_string) >> 1;
2426 }
2427 
2428 #endif /* CONFIG_KEYS */
2429 
2430 static int crypt_set_key(struct crypt_config *cc, char *key)
2431 {
2432 	int r = -EINVAL;
2433 	int key_string_len = strlen(key);
2434 
2435 	/* Hyphen (which gives a key_size of zero) means there is no key. */
2436 	if (!cc->key_size && strcmp(key, "-"))
2437 		goto out;
2438 
2439 	/* ':' means the key is in kernel keyring, short-circuit normal key processing */
2440 	if (key[0] == ':') {
2441 		r = crypt_set_keyring_key(cc, key + 1);
2442 		goto out;
2443 	}
2444 
2445 	/* clear the flag since following operations may invalidate previously valid key */
2446 	clear_bit(DM_CRYPT_KEY_VALID, &cc->flags);
2447 
2448 	/* wipe references to any kernel keyring key */
2449 	kfree_sensitive(cc->key_string);
2450 	cc->key_string = NULL;
2451 
2452 	/* Decode key from its hex representation. */
2453 	if (cc->key_size && hex2bin(cc->key, key, cc->key_size) < 0)
2454 		goto out;
2455 
2456 	r = crypt_setkey(cc);
2457 	if (!r)
2458 		set_bit(DM_CRYPT_KEY_VALID, &cc->flags);
2459 
2460 out:
2461 	/* Hex key string not needed after here, so wipe it. */
2462 	memset(key, '0', key_string_len);
2463 
2464 	return r;
2465 }
2466 
2467 static int crypt_wipe_key(struct crypt_config *cc)
2468 {
2469 	int r;
2470 
2471 	clear_bit(DM_CRYPT_KEY_VALID, &cc->flags);
2472 	get_random_bytes(&cc->key, cc->key_size);
2473 
2474 	/* Wipe IV private keys */
2475 	if (cc->iv_gen_ops && cc->iv_gen_ops->wipe) {
2476 		r = cc->iv_gen_ops->wipe(cc);
2477 		if (r)
2478 			return r;
2479 	}
2480 
2481 	kfree_sensitive(cc->key_string);
2482 	cc->key_string = NULL;
2483 	r = crypt_setkey(cc);
2484 	memset(&cc->key, 0, cc->key_size * sizeof(u8));
2485 
2486 	return r;
2487 }
2488 
2489 static void crypt_calculate_pages_per_client(void)
2490 {
2491 	unsigned long pages = (totalram_pages() - totalhigh_pages()) * DM_CRYPT_MEMORY_PERCENT / 100;
2492 
2493 	if (!dm_crypt_clients_n)
2494 		return;
2495 
2496 	pages /= dm_crypt_clients_n;
2497 	if (pages < DM_CRYPT_MIN_PAGES_PER_CLIENT)
2498 		pages = DM_CRYPT_MIN_PAGES_PER_CLIENT;
2499 	dm_crypt_pages_per_client = pages;
2500 }
2501 
2502 static void *crypt_page_alloc(gfp_t gfp_mask, void *pool_data)
2503 {
2504 	struct crypt_config *cc = pool_data;
2505 	struct page *page;
2506 
2507 	if (unlikely(percpu_counter_compare(&cc->n_allocated_pages, dm_crypt_pages_per_client) >= 0) &&
2508 	    likely(gfp_mask & __GFP_NORETRY))
2509 		return NULL;
2510 
2511 	page = alloc_page(gfp_mask);
2512 	if (likely(page != NULL))
2513 		percpu_counter_add(&cc->n_allocated_pages, 1);
2514 
2515 	return page;
2516 }
2517 
2518 static void crypt_page_free(void *page, void *pool_data)
2519 {
2520 	struct crypt_config *cc = pool_data;
2521 
2522 	__free_page(page);
2523 	percpu_counter_sub(&cc->n_allocated_pages, 1);
2524 }
2525 
2526 static void crypt_dtr(struct dm_target *ti)
2527 {
2528 	struct crypt_config *cc = ti->private;
2529 
2530 	ti->private = NULL;
2531 
2532 	if (!cc)
2533 		return;
2534 
2535 	if (cc->write_thread)
2536 		kthread_stop(cc->write_thread);
2537 
2538 	if (cc->io_queue)
2539 		destroy_workqueue(cc->io_queue);
2540 	if (cc->crypt_queue)
2541 		destroy_workqueue(cc->crypt_queue);
2542 
2543 	crypt_free_tfms(cc);
2544 
2545 	bioset_exit(&cc->bs);
2546 
2547 	mempool_exit(&cc->page_pool);
2548 	mempool_exit(&cc->req_pool);
2549 	mempool_exit(&cc->tag_pool);
2550 
2551 	WARN_ON(percpu_counter_sum(&cc->n_allocated_pages) != 0);
2552 	percpu_counter_destroy(&cc->n_allocated_pages);
2553 
2554 	if (cc->iv_gen_ops && cc->iv_gen_ops->dtr)
2555 		cc->iv_gen_ops->dtr(cc);
2556 
2557 	if (cc->dev)
2558 		dm_put_device(ti, cc->dev);
2559 
2560 	kfree_sensitive(cc->cipher_string);
2561 	kfree_sensitive(cc->key_string);
2562 	kfree_sensitive(cc->cipher_auth);
2563 	kfree_sensitive(cc->authenc_key);
2564 
2565 	mutex_destroy(&cc->bio_alloc_lock);
2566 
2567 	/* Must zero key material before freeing */
2568 	kfree_sensitive(cc);
2569 
2570 	spin_lock(&dm_crypt_clients_lock);
2571 	WARN_ON(!dm_crypt_clients_n);
2572 	dm_crypt_clients_n--;
2573 	crypt_calculate_pages_per_client();
2574 	spin_unlock(&dm_crypt_clients_lock);
2575 }
2576 
2577 static int crypt_ctr_ivmode(struct dm_target *ti, const char *ivmode)
2578 {
2579 	struct crypt_config *cc = ti->private;
2580 
2581 	if (crypt_integrity_aead(cc))
2582 		cc->iv_size = crypto_aead_ivsize(any_tfm_aead(cc));
2583 	else
2584 		cc->iv_size = crypto_skcipher_ivsize(any_tfm(cc));
2585 
2586 	if (cc->iv_size)
2587 		/* at least a 64 bit sector number should fit in our buffer */
2588 		cc->iv_size = max(cc->iv_size,
2589 				  (unsigned int)(sizeof(u64) / sizeof(u8)));
2590 	else if (ivmode) {
2591 		DMWARN("Selected cipher does not support IVs");
2592 		ivmode = NULL;
2593 	}
2594 
2595 	/* Choose ivmode, see comments at iv code. */
2596 	if (ivmode == NULL)
2597 		cc->iv_gen_ops = NULL;
2598 	else if (strcmp(ivmode, "plain") == 0)
2599 		cc->iv_gen_ops = &crypt_iv_plain_ops;
2600 	else if (strcmp(ivmode, "plain64") == 0)
2601 		cc->iv_gen_ops = &crypt_iv_plain64_ops;
2602 	else if (strcmp(ivmode, "plain64be") == 0)
2603 		cc->iv_gen_ops = &crypt_iv_plain64be_ops;
2604 	else if (strcmp(ivmode, "essiv") == 0)
2605 		cc->iv_gen_ops = &crypt_iv_essiv_ops;
2606 	else if (strcmp(ivmode, "benbi") == 0)
2607 		cc->iv_gen_ops = &crypt_iv_benbi_ops;
2608 	else if (strcmp(ivmode, "null") == 0)
2609 		cc->iv_gen_ops = &crypt_iv_null_ops;
2610 	else if (strcmp(ivmode, "eboiv") == 0)
2611 		cc->iv_gen_ops = &crypt_iv_eboiv_ops;
2612 	else if (strcmp(ivmode, "elephant") == 0) {
2613 		cc->iv_gen_ops = &crypt_iv_elephant_ops;
2614 		cc->key_parts = 2;
2615 		cc->key_extra_size = cc->key_size / 2;
2616 		if (cc->key_extra_size > ELEPHANT_MAX_KEY_SIZE)
2617 			return -EINVAL;
2618 		set_bit(CRYPT_ENCRYPT_PREPROCESS, &cc->cipher_flags);
2619 	} else if (strcmp(ivmode, "lmk") == 0) {
2620 		cc->iv_gen_ops = &crypt_iv_lmk_ops;
2621 		/*
2622 		 * Version 2 and 3 is recognised according
2623 		 * to length of provided multi-key string.
2624 		 * If present (version 3), last key is used as IV seed.
2625 		 * All keys (including IV seed) are always the same size.
2626 		 */
2627 		if (cc->key_size % cc->key_parts) {
2628 			cc->key_parts++;
2629 			cc->key_extra_size = cc->key_size / cc->key_parts;
2630 		}
2631 	} else if (strcmp(ivmode, "tcw") == 0) {
2632 		cc->iv_gen_ops = &crypt_iv_tcw_ops;
2633 		cc->key_parts += 2; /* IV + whitening */
2634 		cc->key_extra_size = cc->iv_size + TCW_WHITENING_SIZE;
2635 	} else if (strcmp(ivmode, "random") == 0) {
2636 		cc->iv_gen_ops = &crypt_iv_random_ops;
2637 		/* Need storage space in integrity fields. */
2638 		cc->integrity_iv_size = cc->iv_size;
2639 	} else {
2640 		ti->error = "Invalid IV mode";
2641 		return -EINVAL;
2642 	}
2643 
2644 	return 0;
2645 }
2646 
2647 /*
2648  * Workaround to parse HMAC algorithm from AEAD crypto API spec.
2649  * The HMAC is needed to calculate tag size (HMAC digest size).
2650  * This should be probably done by crypto-api calls (once available...)
2651  */
2652 static int crypt_ctr_auth_cipher(struct crypt_config *cc, char *cipher_api)
2653 {
2654 	char *start, *end, *mac_alg = NULL;
2655 	struct crypto_ahash *mac;
2656 
2657 	if (!strstarts(cipher_api, "authenc("))
2658 		return 0;
2659 
2660 	start = strchr(cipher_api, '(');
2661 	end = strchr(cipher_api, ',');
2662 	if (!start || !end || ++start > end)
2663 		return -EINVAL;
2664 
2665 	mac_alg = kzalloc(end - start + 1, GFP_KERNEL);
2666 	if (!mac_alg)
2667 		return -ENOMEM;
2668 	strncpy(mac_alg, start, end - start);
2669 
2670 	mac = crypto_alloc_ahash(mac_alg, 0, 0);
2671 	kfree(mac_alg);
2672 
2673 	if (IS_ERR(mac))
2674 		return PTR_ERR(mac);
2675 
2676 	cc->key_mac_size = crypto_ahash_digestsize(mac);
2677 	crypto_free_ahash(mac);
2678 
2679 	cc->authenc_key = kmalloc(crypt_authenckey_size(cc), GFP_KERNEL);
2680 	if (!cc->authenc_key)
2681 		return -ENOMEM;
2682 
2683 	return 0;
2684 }
2685 
2686 static int crypt_ctr_cipher_new(struct dm_target *ti, char *cipher_in, char *key,
2687 				char **ivmode, char **ivopts)
2688 {
2689 	struct crypt_config *cc = ti->private;
2690 	char *tmp, *cipher_api, buf[CRYPTO_MAX_ALG_NAME];
2691 	int ret = -EINVAL;
2692 
2693 	cc->tfms_count = 1;
2694 
2695 	/*
2696 	 * New format (capi: prefix)
2697 	 * capi:cipher_api_spec-iv:ivopts
2698 	 */
2699 	tmp = &cipher_in[strlen("capi:")];
2700 
2701 	/* Separate IV options if present, it can contain another '-' in hash name */
2702 	*ivopts = strrchr(tmp, ':');
2703 	if (*ivopts) {
2704 		**ivopts = '\0';
2705 		(*ivopts)++;
2706 	}
2707 	/* Parse IV mode */
2708 	*ivmode = strrchr(tmp, '-');
2709 	if (*ivmode) {
2710 		**ivmode = '\0';
2711 		(*ivmode)++;
2712 	}
2713 	/* The rest is crypto API spec */
2714 	cipher_api = tmp;
2715 
2716 	/* Alloc AEAD, can be used only in new format. */
2717 	if (crypt_integrity_aead(cc)) {
2718 		ret = crypt_ctr_auth_cipher(cc, cipher_api);
2719 		if (ret < 0) {
2720 			ti->error = "Invalid AEAD cipher spec";
2721 			return -ENOMEM;
2722 		}
2723 	}
2724 
2725 	if (*ivmode && !strcmp(*ivmode, "lmk"))
2726 		cc->tfms_count = 64;
2727 
2728 	if (*ivmode && !strcmp(*ivmode, "essiv")) {
2729 		if (!*ivopts) {
2730 			ti->error = "Digest algorithm missing for ESSIV mode";
2731 			return -EINVAL;
2732 		}
2733 		ret = snprintf(buf, CRYPTO_MAX_ALG_NAME, "essiv(%s,%s)",
2734 			       cipher_api, *ivopts);
2735 		if (ret < 0 || ret >= CRYPTO_MAX_ALG_NAME) {
2736 			ti->error = "Cannot allocate cipher string";
2737 			return -ENOMEM;
2738 		}
2739 		cipher_api = buf;
2740 	}
2741 
2742 	cc->key_parts = cc->tfms_count;
2743 
2744 	/* Allocate cipher */
2745 	ret = crypt_alloc_tfms(cc, cipher_api);
2746 	if (ret < 0) {
2747 		ti->error = "Error allocating crypto tfm";
2748 		return ret;
2749 	}
2750 
2751 	if (crypt_integrity_aead(cc))
2752 		cc->iv_size = crypto_aead_ivsize(any_tfm_aead(cc));
2753 	else
2754 		cc->iv_size = crypto_skcipher_ivsize(any_tfm(cc));
2755 
2756 	return 0;
2757 }
2758 
2759 static int crypt_ctr_cipher_old(struct dm_target *ti, char *cipher_in, char *key,
2760 				char **ivmode, char **ivopts)
2761 {
2762 	struct crypt_config *cc = ti->private;
2763 	char *tmp, *cipher, *chainmode, *keycount;
2764 	char *cipher_api = NULL;
2765 	int ret = -EINVAL;
2766 	char dummy;
2767 
2768 	if (strchr(cipher_in, '(') || crypt_integrity_aead(cc)) {
2769 		ti->error = "Bad cipher specification";
2770 		return -EINVAL;
2771 	}
2772 
2773 	/*
2774 	 * Legacy dm-crypt cipher specification
2775 	 * cipher[:keycount]-mode-iv:ivopts
2776 	 */
2777 	tmp = cipher_in;
2778 	keycount = strsep(&tmp, "-");
2779 	cipher = strsep(&keycount, ":");
2780 
2781 	if (!keycount)
2782 		cc->tfms_count = 1;
2783 	else if (sscanf(keycount, "%u%c", &cc->tfms_count, &dummy) != 1 ||
2784 		 !is_power_of_2(cc->tfms_count)) {
2785 		ti->error = "Bad cipher key count specification";
2786 		return -EINVAL;
2787 	}
2788 	cc->key_parts = cc->tfms_count;
2789 
2790 	chainmode = strsep(&tmp, "-");
2791 	*ivmode = strsep(&tmp, ":");
2792 	*ivopts = tmp;
2793 
2794 	/*
2795 	 * For compatibility with the original dm-crypt mapping format, if
2796 	 * only the cipher name is supplied, use cbc-plain.
2797 	 */
2798 	if (!chainmode || (!strcmp(chainmode, "plain") && !*ivmode)) {
2799 		chainmode = "cbc";
2800 		*ivmode = "plain";
2801 	}
2802 
2803 	if (strcmp(chainmode, "ecb") && !*ivmode) {
2804 		ti->error = "IV mechanism required";
2805 		return -EINVAL;
2806 	}
2807 
2808 	cipher_api = kmalloc(CRYPTO_MAX_ALG_NAME, GFP_KERNEL);
2809 	if (!cipher_api)
2810 		goto bad_mem;
2811 
2812 	if (*ivmode && !strcmp(*ivmode, "essiv")) {
2813 		if (!*ivopts) {
2814 			ti->error = "Digest algorithm missing for ESSIV mode";
2815 			kfree(cipher_api);
2816 			return -EINVAL;
2817 		}
2818 		ret = snprintf(cipher_api, CRYPTO_MAX_ALG_NAME,
2819 			       "essiv(%s(%s),%s)", chainmode, cipher, *ivopts);
2820 	} else {
2821 		ret = snprintf(cipher_api, CRYPTO_MAX_ALG_NAME,
2822 			       "%s(%s)", chainmode, cipher);
2823 	}
2824 	if (ret < 0 || ret >= CRYPTO_MAX_ALG_NAME) {
2825 		kfree(cipher_api);
2826 		goto bad_mem;
2827 	}
2828 
2829 	/* Allocate cipher */
2830 	ret = crypt_alloc_tfms(cc, cipher_api);
2831 	if (ret < 0) {
2832 		ti->error = "Error allocating crypto tfm";
2833 		kfree(cipher_api);
2834 		return ret;
2835 	}
2836 	kfree(cipher_api);
2837 
2838 	return 0;
2839 bad_mem:
2840 	ti->error = "Cannot allocate cipher strings";
2841 	return -ENOMEM;
2842 }
2843 
2844 static int crypt_ctr_cipher(struct dm_target *ti, char *cipher_in, char *key)
2845 {
2846 	struct crypt_config *cc = ti->private;
2847 	char *ivmode = NULL, *ivopts = NULL;
2848 	int ret;
2849 
2850 	cc->cipher_string = kstrdup(cipher_in, GFP_KERNEL);
2851 	if (!cc->cipher_string) {
2852 		ti->error = "Cannot allocate cipher strings";
2853 		return -ENOMEM;
2854 	}
2855 
2856 	if (strstarts(cipher_in, "capi:"))
2857 		ret = crypt_ctr_cipher_new(ti, cipher_in, key, &ivmode, &ivopts);
2858 	else
2859 		ret = crypt_ctr_cipher_old(ti, cipher_in, key, &ivmode, &ivopts);
2860 	if (ret)
2861 		return ret;
2862 
2863 	/* Initialize IV */
2864 	ret = crypt_ctr_ivmode(ti, ivmode);
2865 	if (ret < 0)
2866 		return ret;
2867 
2868 	/* Initialize and set key */
2869 	ret = crypt_set_key(cc, key);
2870 	if (ret < 0) {
2871 		ti->error = "Error decoding and setting key";
2872 		return ret;
2873 	}
2874 
2875 	/* Allocate IV */
2876 	if (cc->iv_gen_ops && cc->iv_gen_ops->ctr) {
2877 		ret = cc->iv_gen_ops->ctr(cc, ti, ivopts);
2878 		if (ret < 0) {
2879 			ti->error = "Error creating IV";
2880 			return ret;
2881 		}
2882 	}
2883 
2884 	/* Initialize IV (set keys for ESSIV etc) */
2885 	if (cc->iv_gen_ops && cc->iv_gen_ops->init) {
2886 		ret = cc->iv_gen_ops->init(cc);
2887 		if (ret < 0) {
2888 			ti->error = "Error initialising IV";
2889 			return ret;
2890 		}
2891 	}
2892 
2893 	/* wipe the kernel key payload copy */
2894 	if (cc->key_string)
2895 		memset(cc->key, 0, cc->key_size * sizeof(u8));
2896 
2897 	return ret;
2898 }
2899 
2900 static int crypt_ctr_optional(struct dm_target *ti, unsigned int argc, char **argv)
2901 {
2902 	struct crypt_config *cc = ti->private;
2903 	struct dm_arg_set as;
2904 	static const struct dm_arg _args[] = {
2905 		{0, 8, "Invalid number of feature args"},
2906 	};
2907 	unsigned int opt_params, val;
2908 	const char *opt_string, *sval;
2909 	char dummy;
2910 	int ret;
2911 
2912 	/* Optional parameters */
2913 	as.argc = argc;
2914 	as.argv = argv;
2915 
2916 	ret = dm_read_arg_group(_args, &as, &opt_params, &ti->error);
2917 	if (ret)
2918 		return ret;
2919 
2920 	while (opt_params--) {
2921 		opt_string = dm_shift_arg(&as);
2922 		if (!opt_string) {
2923 			ti->error = "Not enough feature arguments";
2924 			return -EINVAL;
2925 		}
2926 
2927 		if (!strcasecmp(opt_string, "allow_discards"))
2928 			ti->num_discard_bios = 1;
2929 
2930 		else if (!strcasecmp(opt_string, "same_cpu_crypt"))
2931 			set_bit(DM_CRYPT_SAME_CPU, &cc->flags);
2932 
2933 		else if (!strcasecmp(opt_string, "submit_from_crypt_cpus"))
2934 			set_bit(DM_CRYPT_NO_OFFLOAD, &cc->flags);
2935 		else if (!strcasecmp(opt_string, "no_read_workqueue"))
2936 			set_bit(DM_CRYPT_NO_READ_WORKQUEUE, &cc->flags);
2937 		else if (!strcasecmp(opt_string, "no_write_workqueue"))
2938 			set_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags);
2939 		else if (sscanf(opt_string, "integrity:%u:", &val) == 1) {
2940 			if (val == 0 || val > MAX_TAG_SIZE) {
2941 				ti->error = "Invalid integrity arguments";
2942 				return -EINVAL;
2943 			}
2944 			cc->on_disk_tag_size = val;
2945 			sval = strchr(opt_string + strlen("integrity:"), ':') + 1;
2946 			if (!strcasecmp(sval, "aead")) {
2947 				set_bit(CRYPT_MODE_INTEGRITY_AEAD, &cc->cipher_flags);
2948 			} else  if (strcasecmp(sval, "none")) {
2949 				ti->error = "Unknown integrity profile";
2950 				return -EINVAL;
2951 			}
2952 
2953 			cc->cipher_auth = kstrdup(sval, GFP_KERNEL);
2954 			if (!cc->cipher_auth)
2955 				return -ENOMEM;
2956 		} else if (sscanf(opt_string, "sector_size:%hu%c", &cc->sector_size, &dummy) == 1) {
2957 			if (cc->sector_size < (1 << SECTOR_SHIFT) ||
2958 			    cc->sector_size > 4096 ||
2959 			    (cc->sector_size & (cc->sector_size - 1))) {
2960 				ti->error = "Invalid feature value for sector_size";
2961 				return -EINVAL;
2962 			}
2963 			if (ti->len & ((cc->sector_size >> SECTOR_SHIFT) - 1)) {
2964 				ti->error = "Device size is not multiple of sector_size feature";
2965 				return -EINVAL;
2966 			}
2967 			cc->sector_shift = __ffs(cc->sector_size) - SECTOR_SHIFT;
2968 		} else if (!strcasecmp(opt_string, "iv_large_sectors"))
2969 			set_bit(CRYPT_IV_LARGE_SECTORS, &cc->cipher_flags);
2970 		else {
2971 			ti->error = "Invalid feature arguments";
2972 			return -EINVAL;
2973 		}
2974 	}
2975 
2976 	return 0;
2977 }
2978 
2979 #ifdef CONFIG_BLK_DEV_ZONED
2980 
2981 static int crypt_report_zones(struct dm_target *ti,
2982 		struct dm_report_zones_args *args, unsigned int nr_zones)
2983 {
2984 	struct crypt_config *cc = ti->private;
2985 	sector_t sector = cc->start + dm_target_offset(ti, args->next_sector);
2986 
2987 	args->start = cc->start;
2988 	return blkdev_report_zones(cc->dev->bdev, sector, nr_zones,
2989 				   dm_report_zones_cb, args);
2990 }
2991 
2992 #endif
2993 
2994 /*
2995  * Construct an encryption mapping:
2996  * <cipher> [<key>|:<key_size>:<user|logon>:<key_description>] <iv_offset> <dev_path> <start>
2997  */
2998 static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv)
2999 {
3000 	struct crypt_config *cc;
3001 	const char *devname = dm_table_device_name(ti->table);
3002 	int key_size;
3003 	unsigned int align_mask;
3004 	unsigned long long tmpll;
3005 	int ret;
3006 	size_t iv_size_padding, additional_req_size;
3007 	char dummy;
3008 
3009 	if (argc < 5) {
3010 		ti->error = "Not enough arguments";
3011 		return -EINVAL;
3012 	}
3013 
3014 	key_size = get_key_size(&argv[1]);
3015 	if (key_size < 0) {
3016 		ti->error = "Cannot parse key size";
3017 		return -EINVAL;
3018 	}
3019 
3020 	cc = kzalloc(struct_size(cc, key, key_size), GFP_KERNEL);
3021 	if (!cc) {
3022 		ti->error = "Cannot allocate encryption context";
3023 		return -ENOMEM;
3024 	}
3025 	cc->key_size = key_size;
3026 	cc->sector_size = (1 << SECTOR_SHIFT);
3027 	cc->sector_shift = 0;
3028 
3029 	ti->private = cc;
3030 
3031 	spin_lock(&dm_crypt_clients_lock);
3032 	dm_crypt_clients_n++;
3033 	crypt_calculate_pages_per_client();
3034 	spin_unlock(&dm_crypt_clients_lock);
3035 
3036 	ret = percpu_counter_init(&cc->n_allocated_pages, 0, GFP_KERNEL);
3037 	if (ret < 0)
3038 		goto bad;
3039 
3040 	/* Optional parameters need to be read before cipher constructor */
3041 	if (argc > 5) {
3042 		ret = crypt_ctr_optional(ti, argc - 5, &argv[5]);
3043 		if (ret)
3044 			goto bad;
3045 	}
3046 
3047 	ret = crypt_ctr_cipher(ti, argv[0], argv[1]);
3048 	if (ret < 0)
3049 		goto bad;
3050 
3051 	if (crypt_integrity_aead(cc)) {
3052 		cc->dmreq_start = sizeof(struct aead_request);
3053 		cc->dmreq_start += crypto_aead_reqsize(any_tfm_aead(cc));
3054 		align_mask = crypto_aead_alignmask(any_tfm_aead(cc));
3055 	} else {
3056 		cc->dmreq_start = sizeof(struct skcipher_request);
3057 		cc->dmreq_start += crypto_skcipher_reqsize(any_tfm(cc));
3058 		align_mask = crypto_skcipher_alignmask(any_tfm(cc));
3059 	}
3060 	cc->dmreq_start = ALIGN(cc->dmreq_start, __alignof__(struct dm_crypt_request));
3061 
3062 	if (align_mask < CRYPTO_MINALIGN) {
3063 		/* Allocate the padding exactly */
3064 		iv_size_padding = -(cc->dmreq_start + sizeof(struct dm_crypt_request))
3065 				& align_mask;
3066 	} else {
3067 		/*
3068 		 * If the cipher requires greater alignment than kmalloc
3069 		 * alignment, we don't know the exact position of the
3070 		 * initialization vector. We must assume worst case.
3071 		 */
3072 		iv_size_padding = align_mask;
3073 	}
3074 
3075 	/*  ...| IV + padding | original IV | original sec. number | bio tag offset | */
3076 	additional_req_size = sizeof(struct dm_crypt_request) +
3077 		iv_size_padding + cc->iv_size +
3078 		cc->iv_size +
3079 		sizeof(uint64_t) +
3080 		sizeof(unsigned int);
3081 
3082 	ret = mempool_init_kmalloc_pool(&cc->req_pool, MIN_IOS, cc->dmreq_start + additional_req_size);
3083 	if (ret) {
3084 		ti->error = "Cannot allocate crypt request mempool";
3085 		goto bad;
3086 	}
3087 
3088 	cc->per_bio_data_size = ti->per_io_data_size =
3089 		ALIGN(sizeof(struct dm_crypt_io) + cc->dmreq_start + additional_req_size,
3090 		      ARCH_KMALLOC_MINALIGN);
3091 
3092 	ret = mempool_init(&cc->page_pool, BIO_MAX_PAGES, crypt_page_alloc, crypt_page_free, cc);
3093 	if (ret) {
3094 		ti->error = "Cannot allocate page mempool";
3095 		goto bad;
3096 	}
3097 
3098 	ret = bioset_init(&cc->bs, MIN_IOS, 0, BIOSET_NEED_BVECS);
3099 	if (ret) {
3100 		ti->error = "Cannot allocate crypt bioset";
3101 		goto bad;
3102 	}
3103 
3104 	mutex_init(&cc->bio_alloc_lock);
3105 
3106 	ret = -EINVAL;
3107 	if ((sscanf(argv[2], "%llu%c", &tmpll, &dummy) != 1) ||
3108 	    (tmpll & ((cc->sector_size >> SECTOR_SHIFT) - 1))) {
3109 		ti->error = "Invalid iv_offset sector";
3110 		goto bad;
3111 	}
3112 	cc->iv_offset = tmpll;
3113 
3114 	ret = dm_get_device(ti, argv[3], dm_table_get_mode(ti->table), &cc->dev);
3115 	if (ret) {
3116 		ti->error = "Device lookup failed";
3117 		goto bad;
3118 	}
3119 
3120 	ret = -EINVAL;
3121 	if (sscanf(argv[4], "%llu%c", &tmpll, &dummy) != 1 || tmpll != (sector_t)tmpll) {
3122 		ti->error = "Invalid device sector";
3123 		goto bad;
3124 	}
3125 	cc->start = tmpll;
3126 
3127 	/*
3128 	 * For zoned block devices, we need to preserve the issuer write
3129 	 * ordering. To do so, disable write workqueues and force inline
3130 	 * encryption completion.
3131 	 */
3132 	if (bdev_is_zoned(cc->dev->bdev)) {
3133 		set_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags);
3134 		set_bit(DM_CRYPT_WRITE_INLINE, &cc->flags);
3135 	}
3136 
3137 	if (crypt_integrity_aead(cc) || cc->integrity_iv_size) {
3138 		ret = crypt_integrity_ctr(cc, ti);
3139 		if (ret)
3140 			goto bad;
3141 
3142 		cc->tag_pool_max_sectors = POOL_ENTRY_SIZE / cc->on_disk_tag_size;
3143 		if (!cc->tag_pool_max_sectors)
3144 			cc->tag_pool_max_sectors = 1;
3145 
3146 		ret = mempool_init_kmalloc_pool(&cc->tag_pool, MIN_IOS,
3147 			cc->tag_pool_max_sectors * cc->on_disk_tag_size);
3148 		if (ret) {
3149 			ti->error = "Cannot allocate integrity tags mempool";
3150 			goto bad;
3151 		}
3152 
3153 		cc->tag_pool_max_sectors <<= cc->sector_shift;
3154 	}
3155 
3156 	ret = -ENOMEM;
3157 	cc->io_queue = alloc_workqueue("kcryptd_io/%s", WQ_MEM_RECLAIM, 1, devname);
3158 	if (!cc->io_queue) {
3159 		ti->error = "Couldn't create kcryptd io queue";
3160 		goto bad;
3161 	}
3162 
3163 	if (test_bit(DM_CRYPT_SAME_CPU, &cc->flags))
3164 		cc->crypt_queue = alloc_workqueue("kcryptd/%s", WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM,
3165 						  1, devname);
3166 	else
3167 		cc->crypt_queue = alloc_workqueue("kcryptd/%s",
3168 						  WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM | WQ_UNBOUND,
3169 						  num_online_cpus(), devname);
3170 	if (!cc->crypt_queue) {
3171 		ti->error = "Couldn't create kcryptd queue";
3172 		goto bad;
3173 	}
3174 
3175 	spin_lock_init(&cc->write_thread_lock);
3176 	cc->write_tree = RB_ROOT;
3177 
3178 	cc->write_thread = kthread_create(dmcrypt_write, cc, "dmcrypt_write/%s", devname);
3179 	if (IS_ERR(cc->write_thread)) {
3180 		ret = PTR_ERR(cc->write_thread);
3181 		cc->write_thread = NULL;
3182 		ti->error = "Couldn't spawn write thread";
3183 		goto bad;
3184 	}
3185 	wake_up_process(cc->write_thread);
3186 
3187 	ti->num_flush_bios = 1;
3188 
3189 	return 0;
3190 
3191 bad:
3192 	crypt_dtr(ti);
3193 	return ret;
3194 }
3195 
3196 static int crypt_map(struct dm_target *ti, struct bio *bio)
3197 {
3198 	struct dm_crypt_io *io;
3199 	struct crypt_config *cc = ti->private;
3200 
3201 	/*
3202 	 * If bio is REQ_PREFLUSH or REQ_OP_DISCARD, just bypass crypt queues.
3203 	 * - for REQ_PREFLUSH device-mapper core ensures that no IO is in-flight
3204 	 * - for REQ_OP_DISCARD caller must use flush if IO ordering matters
3205 	 */
3206 	if (unlikely(bio->bi_opf & REQ_PREFLUSH ||
3207 	    bio_op(bio) == REQ_OP_DISCARD)) {
3208 		bio_set_dev(bio, cc->dev->bdev);
3209 		if (bio_sectors(bio))
3210 			bio->bi_iter.bi_sector = cc->start +
3211 				dm_target_offset(ti, bio->bi_iter.bi_sector);
3212 		return DM_MAPIO_REMAPPED;
3213 	}
3214 
3215 	/*
3216 	 * Check if bio is too large, split as needed.
3217 	 */
3218 	if (unlikely(bio->bi_iter.bi_size > (BIO_MAX_PAGES << PAGE_SHIFT)) &&
3219 	    (bio_data_dir(bio) == WRITE || cc->on_disk_tag_size))
3220 		dm_accept_partial_bio(bio, ((BIO_MAX_PAGES << PAGE_SHIFT) >> SECTOR_SHIFT));
3221 
3222 	/*
3223 	 * Ensure that bio is a multiple of internal sector encryption size
3224 	 * and is aligned to this size as defined in IO hints.
3225 	 */
3226 	if (unlikely((bio->bi_iter.bi_sector & ((cc->sector_size >> SECTOR_SHIFT) - 1)) != 0))
3227 		return DM_MAPIO_KILL;
3228 
3229 	if (unlikely(bio->bi_iter.bi_size & (cc->sector_size - 1)))
3230 		return DM_MAPIO_KILL;
3231 
3232 	io = dm_per_bio_data(bio, cc->per_bio_data_size);
3233 	crypt_io_init(io, cc, bio, dm_target_offset(ti, bio->bi_iter.bi_sector));
3234 
3235 	if (cc->on_disk_tag_size) {
3236 		unsigned tag_len = cc->on_disk_tag_size * (bio_sectors(bio) >> cc->sector_shift);
3237 
3238 		if (unlikely(tag_len > KMALLOC_MAX_SIZE) ||
3239 		    unlikely(!(io->integrity_metadata = kmalloc(tag_len,
3240 				GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN)))) {
3241 			if (bio_sectors(bio) > cc->tag_pool_max_sectors)
3242 				dm_accept_partial_bio(bio, cc->tag_pool_max_sectors);
3243 			io->integrity_metadata = mempool_alloc(&cc->tag_pool, GFP_NOIO);
3244 			io->integrity_metadata_from_pool = true;
3245 		}
3246 	}
3247 
3248 	if (crypt_integrity_aead(cc))
3249 		io->ctx.r.req_aead = (struct aead_request *)(io + 1);
3250 	else
3251 		io->ctx.r.req = (struct skcipher_request *)(io + 1);
3252 
3253 	if (bio_data_dir(io->base_bio) == READ) {
3254 		if (kcryptd_io_read(io, GFP_NOWAIT))
3255 			kcryptd_queue_read(io);
3256 	} else
3257 		kcryptd_queue_crypt(io);
3258 
3259 	return DM_MAPIO_SUBMITTED;
3260 }
3261 
3262 static void crypt_status(struct dm_target *ti, status_type_t type,
3263 			 unsigned status_flags, char *result, unsigned maxlen)
3264 {
3265 	struct crypt_config *cc = ti->private;
3266 	unsigned i, sz = 0;
3267 	int num_feature_args = 0;
3268 
3269 	switch (type) {
3270 	case STATUSTYPE_INFO:
3271 		result[0] = '\0';
3272 		break;
3273 
3274 	case STATUSTYPE_TABLE:
3275 		DMEMIT("%s ", cc->cipher_string);
3276 
3277 		if (cc->key_size > 0) {
3278 			if (cc->key_string)
3279 				DMEMIT(":%u:%s", cc->key_size, cc->key_string);
3280 			else
3281 				for (i = 0; i < cc->key_size; i++)
3282 					DMEMIT("%02x", cc->key[i]);
3283 		} else
3284 			DMEMIT("-");
3285 
3286 		DMEMIT(" %llu %s %llu", (unsigned long long)cc->iv_offset,
3287 				cc->dev->name, (unsigned long long)cc->start);
3288 
3289 		num_feature_args += !!ti->num_discard_bios;
3290 		num_feature_args += test_bit(DM_CRYPT_SAME_CPU, &cc->flags);
3291 		num_feature_args += test_bit(DM_CRYPT_NO_OFFLOAD, &cc->flags);
3292 		num_feature_args += test_bit(DM_CRYPT_NO_READ_WORKQUEUE, &cc->flags);
3293 		num_feature_args += test_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags);
3294 		num_feature_args += cc->sector_size != (1 << SECTOR_SHIFT);
3295 		num_feature_args += test_bit(CRYPT_IV_LARGE_SECTORS, &cc->cipher_flags);
3296 		if (cc->on_disk_tag_size)
3297 			num_feature_args++;
3298 		if (num_feature_args) {
3299 			DMEMIT(" %d", num_feature_args);
3300 			if (ti->num_discard_bios)
3301 				DMEMIT(" allow_discards");
3302 			if (test_bit(DM_CRYPT_SAME_CPU, &cc->flags))
3303 				DMEMIT(" same_cpu_crypt");
3304 			if (test_bit(DM_CRYPT_NO_OFFLOAD, &cc->flags))
3305 				DMEMIT(" submit_from_crypt_cpus");
3306 			if (test_bit(DM_CRYPT_NO_READ_WORKQUEUE, &cc->flags))
3307 				DMEMIT(" no_read_workqueue");
3308 			if (test_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags))
3309 				DMEMIT(" no_write_workqueue");
3310 			if (cc->on_disk_tag_size)
3311 				DMEMIT(" integrity:%u:%s", cc->on_disk_tag_size, cc->cipher_auth);
3312 			if (cc->sector_size != (1 << SECTOR_SHIFT))
3313 				DMEMIT(" sector_size:%d", cc->sector_size);
3314 			if (test_bit(CRYPT_IV_LARGE_SECTORS, &cc->cipher_flags))
3315 				DMEMIT(" iv_large_sectors");
3316 		}
3317 
3318 		break;
3319 	}
3320 }
3321 
3322 static void crypt_postsuspend(struct dm_target *ti)
3323 {
3324 	struct crypt_config *cc = ti->private;
3325 
3326 	set_bit(DM_CRYPT_SUSPENDED, &cc->flags);
3327 }
3328 
3329 static int crypt_preresume(struct dm_target *ti)
3330 {
3331 	struct crypt_config *cc = ti->private;
3332 
3333 	if (!test_bit(DM_CRYPT_KEY_VALID, &cc->flags)) {
3334 		DMERR("aborting resume - crypt key is not set.");
3335 		return -EAGAIN;
3336 	}
3337 
3338 	return 0;
3339 }
3340 
3341 static void crypt_resume(struct dm_target *ti)
3342 {
3343 	struct crypt_config *cc = ti->private;
3344 
3345 	clear_bit(DM_CRYPT_SUSPENDED, &cc->flags);
3346 }
3347 
3348 /* Message interface
3349  *	key set <key>
3350  *	key wipe
3351  */
3352 static int crypt_message(struct dm_target *ti, unsigned argc, char **argv,
3353 			 char *result, unsigned maxlen)
3354 {
3355 	struct crypt_config *cc = ti->private;
3356 	int key_size, ret = -EINVAL;
3357 
3358 	if (argc < 2)
3359 		goto error;
3360 
3361 	if (!strcasecmp(argv[0], "key")) {
3362 		if (!test_bit(DM_CRYPT_SUSPENDED, &cc->flags)) {
3363 			DMWARN("not suspended during key manipulation.");
3364 			return -EINVAL;
3365 		}
3366 		if (argc == 3 && !strcasecmp(argv[1], "set")) {
3367 			/* The key size may not be changed. */
3368 			key_size = get_key_size(&argv[2]);
3369 			if (key_size < 0 || cc->key_size != key_size) {
3370 				memset(argv[2], '0', strlen(argv[2]));
3371 				return -EINVAL;
3372 			}
3373 
3374 			ret = crypt_set_key(cc, argv[2]);
3375 			if (ret)
3376 				return ret;
3377 			if (cc->iv_gen_ops && cc->iv_gen_ops->init)
3378 				ret = cc->iv_gen_ops->init(cc);
3379 			/* wipe the kernel key payload copy */
3380 			if (cc->key_string)
3381 				memset(cc->key, 0, cc->key_size * sizeof(u8));
3382 			return ret;
3383 		}
3384 		if (argc == 2 && !strcasecmp(argv[1], "wipe"))
3385 			return crypt_wipe_key(cc);
3386 	}
3387 
3388 error:
3389 	DMWARN("unrecognised message received.");
3390 	return -EINVAL;
3391 }
3392 
3393 static int crypt_iterate_devices(struct dm_target *ti,
3394 				 iterate_devices_callout_fn fn, void *data)
3395 {
3396 	struct crypt_config *cc = ti->private;
3397 
3398 	return fn(ti, cc->dev, cc->start, ti->len, data);
3399 }
3400 
3401 static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits)
3402 {
3403 	struct crypt_config *cc = ti->private;
3404 
3405 	/*
3406 	 * Unfortunate constraint that is required to avoid the potential
3407 	 * for exceeding underlying device's max_segments limits -- due to
3408 	 * crypt_alloc_buffer() possibly allocating pages for the encryption
3409 	 * bio that are not as physically contiguous as the original bio.
3410 	 */
3411 	limits->max_segment_size = PAGE_SIZE;
3412 
3413 	limits->logical_block_size =
3414 		max_t(unsigned, limits->logical_block_size, cc->sector_size);
3415 	limits->physical_block_size =
3416 		max_t(unsigned, limits->physical_block_size, cc->sector_size);
3417 	limits->io_min = max_t(unsigned, limits->io_min, cc->sector_size);
3418 }
3419 
3420 static struct target_type crypt_target = {
3421 	.name   = "crypt",
3422 	.version = {1, 22, 0},
3423 	.module = THIS_MODULE,
3424 	.ctr    = crypt_ctr,
3425 	.dtr    = crypt_dtr,
3426 #ifdef CONFIG_BLK_DEV_ZONED
3427 	.features = DM_TARGET_ZONED_HM,
3428 	.report_zones = crypt_report_zones,
3429 #endif
3430 	.map    = crypt_map,
3431 	.status = crypt_status,
3432 	.postsuspend = crypt_postsuspend,
3433 	.preresume = crypt_preresume,
3434 	.resume = crypt_resume,
3435 	.message = crypt_message,
3436 	.iterate_devices = crypt_iterate_devices,
3437 	.io_hints = crypt_io_hints,
3438 };
3439 
3440 static int __init dm_crypt_init(void)
3441 {
3442 	int r;
3443 
3444 	r = dm_register_target(&crypt_target);
3445 	if (r < 0)
3446 		DMERR("register failed %d", r);
3447 
3448 	return r;
3449 }
3450 
3451 static void __exit dm_crypt_exit(void)
3452 {
3453 	dm_unregister_target(&crypt_target);
3454 }
3455 
3456 module_init(dm_crypt_init);
3457 module_exit(dm_crypt_exit);
3458 
3459 MODULE_AUTHOR("Jana Saout <jana@saout.de>");
3460 MODULE_DESCRIPTION(DM_NAME " target for transparent encryption / decryption");
3461 MODULE_LICENSE("GPL");
3462