Skip to content
  • Eric Biggers's avatar
    crypto: x86/salsa20 - remove x86 salsa20 implementations · 19f39eff
    Eric Biggers authored
    commit b7b73cd5
    
     upstream.
    
    The x86 assembly implementations of Salsa20 use the frame base pointer
    register (%ebp or %rbp), which breaks frame pointer convention and
    breaks stack traces when unwinding from an interrupt in the crypto code.
    Recent (v4.10+) kernels will warn about this, e.g.
    
    WARNING: kernel stack regs at 00000000a8291e69 in syzkaller047086:4677 has bad 'bp' value 000000001077994c
    [...]
    
    But after looking into it, I believe there's very little reason to still
    retain the x86 Salsa20 code.  First, these are *not* vectorized
    (SSE2/SSSE3/AVX2) implementations, which would be needed to get anywhere
    close to the best Salsa20 performance on any remotely modern x86
    processor; they're just regular x86 assembly.  Second, it's still
    unclear that anyone is actually using the kernel's Salsa20 at all,
    especially given that now ChaCha20 is supported too, and with much more
    efficient SSSE3 and AVX2 implementations.  Finally, in benchmarks I did
    on both Intel and AMD processors with both gcc 8.1.0 and gcc 4.9.4, the
    x86_64 salsa20-asm is actually slightly *slower* than salsa20-generic
    (~3% slower on Skylake, ~10% slower on Zen), while the i686 salsa20-asm
    is only slightly faster than salsa20-generic (~15% faster on Skylake,
    ~20% faster on Zen).  The gcc version made little difference.
    
    So, the x86_64 salsa20-asm is pretty clearly useless.  That leaves just
    the i686 salsa20-asm, which based on my tests provides a 15-20% speed
    boost.  But that's without updating the code to not use %ebp.  And given
    the maintenance cost, the small speed difference vs. salsa20-generic,
    the fact that few people still use i686 kernels, the doubt that anyone
    is even using the kernel's Salsa20 at all, and the fact that a SSE2
    implementation would almost certainly be much faster on any remotely
    modern x86 processor yet no one has cared enough to add one yet, I don't
    think it's worthwhile to keep.
    
    Thus, just remove both the x86_64 and i686 salsa20-asm implementations.
    
    Reported-by: default avatar <syzbot+ffa3a158337bbc01ff09@syzkaller.appspotmail.com>
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    19f39eff