Re: [PATCH v2] crypto: ecc - Fix carry overflow in vli multiplication

Next message: Chuyi Zhou: "[RESEND PATCH v5 03/12] smp: Refactor remote CPU selection in smp_call_function_any()"
Previous message: Vincent Guittot: "Re: [PATCH] sched/fair: Call update_util_est() after dequeue_entities()"
In reply to: Anastasia Tishchenko: "[PATCH v2] crypto: ecc - Fix carry overflow in vli multiplication"
Next in thread: Lukas Wunner: "Re: [PATCH v2] crypto: ecc - Fix carry overflow in vli multiplication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Qingfang Deng

Date: Wed May 13 2026 - 08:51:40 EST

On Wed, 13 May 2026 at 13:57:40 +0300, Anastasia Tishchenko wrote:
> diff --git a/crypto/ecc.c b/crypto/ecc.c
> index 43b0def3a225..6eb4d97a5f0d 100644
> --- a/crypto/ecc.c
> +++ b/crypto/ecc.c
> @@ -393,14 +393,26 @@ static uint128_t mul_64_64(u64 left, u64 right)
> return result;
> }
>
> -static uint128_t add_128_128(uint128_t a, uint128_t b)
> +/* Calculate addition with overflow checking. Returns true on wrap-around,
> + * false otherwise.
> + */
> +static bool check_add_128_128_overflow(uint128_t *result, uint128_t a,
> + uint128_t b)
> {
> - uint128_t result;
> + bool carry;
>
> - result.m_low = a.m_low + b.m_low;
> - result.m_high = a.m_high + b.m_high + (result.m_low < a.m_low);
> + result->m_low = a.m_low + b.m_low;
> + carry = (result->m_low < a.m_low);
>
> - return result;
> + result->m_high = a.m_high + b.m_high + carry;

If CONFIG_ARCH_SUPPORTS_INT128 is defined, you can convert them to
"unsigned __int128" as done in mul_64_64(), and use check_add_overflow()
to get the carry.

> +
> + /* Using constant-time bitwise arithmetic to prevent timing
> + * side-channels.
> + */
> + carry = (result->m_high < a.m_high) |
> + ((result->m_high == a.m_high) & carry);
> +
> + return carry;
> }
>

Regards,
Qingfang