Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 5 Jul 2007 12:55:15 GMT
From:      Fabien THOMAS <fabien.thomas@netasq.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   i386/114331: VIA padlock freesession bug
Message-ID:  <200707051255.l65CtFZ5011418@www.freebsd.org>
Resent-Message-ID: <200707051300.l65D0Bni080351@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         114331
>Category:       i386
>Synopsis:       VIA padlock freesession bug
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 05 13:00:10 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Fabien THOMAS
>Release:        FreeBSD 6.2-p5
>Organization:
NETASQ
>Environment:
>Description:
There is a bug in the VIA padlock cryptodev code:

When the session are recycled the freed session is not inserted at the good place (head). The resulting bug is if you have one program with cryptodev opened and a second one doing open / close the kernel will continuously grown because the recycling will not occur.

Hiden behind this bug a second one that leave the system completly unusable because the session id is cleared and not allocated again on a cached session.



>How-To-Repeat:
launch one program with an open crypto session.
launch a second one periodically (on each run you will loose some KB of memory).
>Fix:
Find attached a fix for the problem.

Another better solution is to rework the session cache by  having a free list with an active count and a maximum cached entry.

Patch attached with submission follows:

--- padlock.c.orig	Thu Jul  5 12:26:18 2007
+++ padlock.c	Thu Jul  5 12:34:40 2007
@@ -222,6 +222,7 @@
 	else {
 		TAILQ_REMOVE(&sc->sc_sessions, ses, ses_next);
 		ses->ses_used = 1;
+		ses->ses_id = sc->sc_sid++;
 		TAILQ_INSERT_TAIL(&sc->sc_sessions, ses, ses_next);
 	}
 	mtx_unlock(&sc->sc_sessions_mtx);
@@ -276,7 +277,7 @@
 	padlock_hash_free(ses);
 	bzero(ses, sizeof(*ses));
 	ses->ses_used = 0;
-	TAILQ_INSERT_TAIL(&sc->sc_sessions, ses, ses_next);
+	TAILQ_INSERT_HEAD(&sc->sc_sessions, ses, ses_next);
 	mtx_unlock(&sc->sc_sessions_mtx);
 	return (0);
 }


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707051255.l65CtFZ5011418>