[Openswan Users] keeping SA made OCF resource leak
David McCullough
David_Mccullough at securecomputing.com
Thu Jul 30 19:24:36 EDT 2009
Jivin willer.wang at cybertan.com.tw lays it down ...
> On 2009-07-29 06:33, David McCullough wrote:
> >
> > Jivin Paul Wouters lays it down ...
> > > On Wed, 22 Jul 2009, willer.wang@??? wrote:
> > >
> > >> 3. I don't know what's the purpose of OPENSWAN keeps all old outbound SAs all the time. Preventing to rebuild a same SA?
>
> > >
> > > To ensure a seamless transition, the old receiving SA's are kept until
> > > traffic arrives on the new SA. On the outgoing SA, I believe we drop
> > > the old one as soon as we are ready to use the new one for traffic.
> >
> > Yep, I thought that to, but it seems that something is definately broken.
> > I can see the SA's increasing (cat /proc/net/ipsec_spi | wc -l) over time.
> > Most certainly seems to be rekey related.
> >
> > Hopefully it won't take too long to track the offending refcount discrepancy
> > and get this fixed ;-)
> >
> > Cheers,
> > Davidm
> >
> >
>
> I found a strange point about this problem.
>
> As I said before, an expired SA did not free related OCF resource.
>
> Here is my observing, an outbound SA like esp.e43d2490 at 10.0.0.1 expired.
>
> Now it enter the function “ipsec_sa_rm( )”with refcount=3 , ocf_in_use=1.
>
> Because of the refcount >1, this SA just be removed from hash table, but will not enter the function “ipsec_sa_wipe( )”.
>
> However, this expired SA finally enter the function ipsec_sa_wipe( ) because the refcount become 0.
>
> But now, the ocf_in_use flag of this SA also become “0”, and will not enter “ipsec_ocf_sa_free( )”.
>
> So the related OCF resourced became always kept.
>
> I really can not understand why the ocf_in_use of this SA can become 0 before entering ipsec_ocf_sa_free( ).
Ok, so I looked at this first. ocf_in_use is only set by ipsec_ocf_sa_init
and is only cleared by ipsec_ocf_sa_free.
The only possible explanations I can for now are
* there is memory corruption somewhere
(which OCF HW driver are you using ?)
* perhaps you are looking at an SA that has already been released ?
Did I ask which openswan version you are using ? Any idea which OCF version ?
Cheers
Davidm
--
David McCullough, david_mccullough at securecomputing.com, Ph:+61 734352815
McAfee - SnapGear http://www.snapgear.com http://www.uCdot.org
More information about the Users
mailing list