gerrit.fd Code Review - vpp.git/commit

author	Matthew Smith <mgsmith@netgate.com>
	Fri, 4 Jun 2021 14:18:37 +0000 (09:18 -0500)
committer	Matthew Smith <mgsmith@netgate.com>
	Tue, 8 Jun 2021 16:05:37 +0000 (16:05 +0000)
commit	51d56bab707965399d524c350eaaa33d20b55244
tree	06faf8d070cae252b9af810d3ae23371d6e501e4	tree \| snapshot
parent	4de5f9be88857197ddf17e3bff66318f78f4b6bb	commit \| diff

ipsec: fix async crypto frame leak

Type: fix

If an async crypto frame is allocated during ESP encrypt/decrypt but
a buffer/op is not subsequently added to the frame, the frame leaks. It
is not submitted if the count of async ops is zero nor is it
returned to the frame pool. This happens frequently if >= 2 worker
threads are configured and a vector of buffers all have to be handed
off to other threads.

Wait until it is almost certain that the buffer will be added to the
frame before allocating the frame to make it more unlikely that an
allocated frame will not have any operations added to it.

For encrypt this is sufficient to ressolve the leak. For decrypt there
is still a chance that the buffer will fail to be added to the frame, so
remove the counter of async ops and ensure that all frames that were
allocated get either submitted or freed at the end.

Change-Id: I4778c3265359b192d8a88ab9f8c53519d46285a2
Signed-off-by: Matthew Smith <mgsmith@netgate.com>

src/vnet/ipsec/esp_decrypt.c		diff \| blob \| history
src/vnet/ipsec/esp_encrypt.c		diff \| blob \| history