From patchwork Wed Jan 3 22:39:27 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 10143607 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 164C36034B for ; Wed, 3 Jan 2018 22:40:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F41E629346 for ; Wed, 3 Jan 2018 22:40:08 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E5E2A293D3; Wed, 3 Jan 2018 22:40:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BB81629346 for ; Wed, 3 Jan 2018 22:40:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751134AbeACWkG (ORCPT ); Wed, 3 Jan 2018 17:40:06 -0500 Received: from mout.kundenserver.de ([217.72.192.73]:63705 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750979AbeACWkF (ORCPT ); Wed, 3 Jan 2018 17:40:05 -0500 Received: from wuerfel.lan ([95.208.111.237]) by mrelayeu.kundenserver.de (mreue103 [212.227.15.145]) with ESMTPA (Nemesis) id 0LoaZ0-1f8vCl1S94-00gW87; Wed, 03 Jan 2018 23:39:45 +0100 From: Arnd Bergmann To: Herbert Xu , "David S. Miller" Cc: Arnd Bergmann , Richard Biener , Jakub Jelinek , Ard Biesheuvel , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] [v2] crypto: aes-generic - build with -Os on gcc-7+ Date: Wed, 3 Jan 2018 23:39:27 +0100 Message-Id: <20180103223940.3715372-1-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 X-Provags-ID: V03:K0:XvTNTwL/9veMYD6P7p64GkGtZJwN+zu8oq2BHbs/+MHnXbshCR/ e4XvwgeNGiE4DkOD/sVWIwYArM76PN9OHhurOXZY2+qRgGZmKbCq2n10MOC6kIzbbnZXVLQ WO9eLqfGdF2P0oYkfDdjEssAwb9fwd1jUfew1V+6s5GbCh7+Ymf+xzxTmVXSuXIgzdQLJXG vvZQ15cdaeDlZAng7SIYQ== X-UI-Out-Filterresults: notjunk:1; V01:K0:iKXrbG1vnoo=:xLGtScEwhlit8TEA+S1WgD NzByujS3PpfIW1K7vg6GUIsvZD9wGVRoCQz0UkoWJ+06v8lq8vQmLn3Jh+dNuGwCjHeKx+gN2 28/fOPF1tV0NWCQsLe3ZO7mmn2N2vyu/uXfXTDOVAzosssHyl1Wj2M5B+/+I0BEimtpThkbQ0 s5fQLenccLBChIddPJhlUWFrA9s/5qr8WBkZC+yMSczd2lanTP+evj7Y1N5jAxeMaYTHoGFbp LqfNrj7hlUhuUn6rLbUJfmvv6dkkZMagLoqySq/3DZptRHM8l1i0UV2UnIcseGD5MjM200Z/2 hl1wbpm2cKG6x/USxkCzi5Q6Z2SgkgY081ZAp83Cd8wrJlQk/NZwojo7q8i3nvI1h5+Sl76PK xmgp2cWF4EDy2tcQ4j3ArXkCBxTrwNi7UDXSPJCLu+d8bzkGCTdVedSoszYPEYcGvmnFhB/a0 eCyhf1W0OqfRncO4J4WZmyxwIgvk2pirFn2gt/uYiCIAYlFFSyVMioc/EocFjgr1zsow/LMsg /3hut/gC1ozQiLN/kx5+txxQWJex27TI7HdGFD9YL4c/77Qqd6Oh3VhU27l/V7cfzsebt05f7 ayrI7qKzzhCx6hXTZE0ORh7jxT1iAZSPUfPvM5jEt15/HdUyWXuZD4KFmU0nrgJlzwKIzjHgo OJdVBt/tYddB6tdsmRJlXl0jk2Uofz1eU1Sp4SBXQ1HqNzhilAggXhADNoyjH43EnO8xHIcqA gIcRjYyaaa5uqvHENIOULY3w7gh5C/gbTErJ44Ugo+fErnbld9gNswHv/pE= Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP While testing other changes, I discovered that gcc-7.2.1 produces badly optimized code for aes_encrypt/aes_decrypt. This is especially true when CONFIG_UBSAN_SANITIZE_ALL is enabled, where it leads to extremely large stack usage that in turn might cause kernel stack overflows: crypto/aes_generic.c: In function 'aes_encrypt': crypto/aes_generic.c:1371:1: warning: the frame size of 4880 bytes is larger than 2048 bytes [-Wframe-larger-than=] crypto/aes_generic.c: In function 'aes_decrypt': crypto/aes_generic.c:1441:1: warning: the frame size of 4864 bytes is larger than 2048 bytes [-Wframe-larger-than=] I verified that this problem exists on all architectures that are supported by gcc-7.2, though arm64 in particular is less affected than the others. I also found that gcc-7.1 and gcc-8 do not show the extreme stack usage but still produce worse code than earlier versions for this file, apparently because of optimization passes that generally provide a substantial improvement in object code quality but understandably fail to find any shortcuts in the AES algorithm. Possible workarounds include a) disabling -ftree-pre and -ftree-sra optimizations, this was an earlier patch I tried, which reliably fixed the stack usage, but caused a serious performance regression in some versions, as later testing found. b) disabling UBSAN on this file or all ciphers, as suggested by Ard Biesheuvel. This would lead to massively better crypto performance in UBSAN-enabled kernels and avoid the stack usage, but there is a concern over whether we should exclude arbitrary files from UBSAN at all. c) Forcing the optimization level in a different way. Similar to a), but rather than deselecting specific optimization stages, this now uses "gcc -Os" for this file, regardless of the CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE/SIZE option. This is a reliable workaround for the stack consumption on all architecture, and I've retested the performance results now on x86, cycles/byte (lower is better) for cbc(aes-generic) with 256 bit keys: -O2 -Os gcc-6.3.1 14.9 15.1 gcc-7.0.1 14.7 15.3 gcc-7.1.1 15.3 14.7 gcc-7.2.1 16.8 15.9 gcc-8.0.0 15.5 15.6 This implements the option c) by enabling forcing -Os on all compiler versions starting with gcc-7.1. As a workaround for PR83356, it would only be needed for gcc-7.2+ with UBSAN enabled, but since it also shows better performance on gcc-7.1 without UBSAN, it seems appropriate to use the faster version here as well. Side note: during testing, I also played with the AES code in libressl, which had a similar performance regression from gcc-6 to gcc-7.2, but was three times slower overall. It might be interesting to investigate that further and possibly port the Linux implementation into that. Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83356 Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83651 Cc: Richard Biener Cc: Jakub Jelinek Cc: Ard Biesheuvel Signed-off-by: Arnd Bergmann Acked-by: Ard Biesheuvel --- crypto/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/Makefile b/crypto/Makefile index d674884b2d51..daa69360e054 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -99,6 +99,7 @@ obj-$(CONFIG_CRYPTO_TWOFISH_COMMON) += twofish_common.o obj-$(CONFIG_CRYPTO_SERPENT) += serpent_generic.o CFLAGS_serpent_generic.o := $(call cc-option,-fsched-pressure) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149 obj-$(CONFIG_CRYPTO_AES) += aes_generic.o +CFLAGS_aes_generic.o := $(call cc-ifversion, -ge, 0701, -Os) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83356 obj-$(CONFIG_CRYPTO_AES_TI) += aes_ti.o obj-$(CONFIG_CRYPTO_CAMELLIA) += camellia_generic.o obj-$(CONFIG_CRYPTO_CAST_COMMON) += cast_common.o