[Openswan Users] keeping SA made OCF resource leak

David McCullough David_Mccullough at securecomputing.com
Thu Jul 30 19:24:36 EDT 2009


Jivin willer.wang at cybertan.com.tw lays it down ...
> On 2009-07-29 06:33, David McCullough wrote: 
> > 
> > Jivin Paul Wouters lays it down ... 
> > > On Wed, 22 Jul 2009, willer.wang@??? wrote: 
> > > 
> > >> 3. I don't know what's the purpose of OPENSWAN keeps all old outbound SAs all the time. Preventing to rebuild a same SA?
> 
> > > 
> > > To ensure a seamless transition, the old receiving SA's are kept until 
> > > traffic arrives on the new SA. On the outgoing SA, I believe we drop 
> > > the old one as soon as we are ready to use the new one for traffic. 
> > 
> > Yep,  I thought that to,  but it seems that something is definately broken. 
> > I can see the SA's increasing (cat /proc/net/ipsec_spi | wc -l) over time. 
> > Most certainly seems to be rekey related. 
> > 
> > Hopefully it won't take too long to track the offending refcount discrepancy 
> > and get this fixed ;-) 
> > 
> > Cheers, 
> > Davidm 
> > 
> >
> 
> I found a strange point about this problem. 
> 
> As I said before, an expired SA did not free related OCF resource.
> 
> Here is my observing, an outbound SA like esp.e43d2490 at 10.0.0.1 expired.
> 
> Now it enter the function “ipsec_sa_rm( )”with refcount=3 , ocf_in_use=1.
> 
> Because of the refcount >1, this SA just be removed from hash table, but will not enter the function “ipsec_sa_wipe( )”.
> 
> However, this expired SA finally enter the function   ipsec_sa_wipe( ) because the refcount become 0.
> 
> But now, the ocf_in_use flag of this SA also become “0”, and will not enter “ipsec_ocf_sa_free( )”.
> 
> So the related OCF resourced became always kept.
> 
> I really can not understand why the ocf_in_use of this SA can become 0 before entering ipsec_ocf_sa_free( ).

Ok,  so I looked at this first.  ocf_in_use is only set by ipsec_ocf_sa_init
and is only cleared by ipsec_ocf_sa_free.

The only possible explanations I can for now are

	* there is memory corruption somewhere
	  (which OCF HW driver are you using ?)
	
	* perhaps you are looking at an SA that has already been released ?

Did I ask which openswan version you are using ?  Any idea which OCF version ?

Cheers
Davidm

-- 
David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org


More information about the Users mailing list