From a530cd0e9f2558cc32b67f9c95b257694b417b28 Mon Sep 17 00:00:00 2001
From: Matthew Smith <mgsmith@netgate.com>
Date: Wed, 21 Feb 2018 23:32:05 -0600
Subject: Fix crypto session deletion crash

When using a DPDK cryptodev with IPsec, deleting a
session often results in a SEGV. A bad pointer
is being passed to rte_cryptodev_sym_session_free().

Put the correct value on the crypto disposal list and
add a check to determine whether the call to free the
session is going to result in a crash before doing
it.

Change-Id: I8a6b0a594585ebcfa56b555ede7ef7d67e5e2b33
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
---
 src/plugins/dpdk/ipsec/ipsec.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

(limited to 'src/plugins')

diff --git a/src/plugins/dpdk/ipsec/ipsec.c b/src/plugins/dpdk/ipsec/ipsec.c
index 3dce075725b..dbb069c9e2e 100644
--- a/src/plugins/dpdk/ipsec/ipsec.c
+++ b/src/plugins/dpdk/ipsec/ipsec.c
@@ -457,8 +457,11 @@ dpdk_crypto_session_disposal (crypto_session_disposal_t * v, u64 ts)
 	  set_session_private_data (s->session, drv_id, NULL);
 	}
 
-      ret = rte_cryptodev_sym_session_free (s->session);
-      ASSERT (!ret);
+      if (rte_mempool_from_obj(s->session))
+	{
+	  ret = rte_cryptodev_sym_session_free (s->session);
+	  ASSERT (!ret);
+	}
     }
   /* *INDENT-ON* */
 
@@ -505,18 +508,18 @@ add_del_sa_session (u32 sa_index, u8 is_add)
   vec_foreach (data, dcm->data)
     {
       val = hash_get (data->session_by_sa_index, sa_index);
-      s = (struct rte_cryptodev_sym_session *) val;
 
-      if (!s)
+      if (!val)
 	continue;
 
+      s = (struct rte_cryptodev_sym_session *) val[0];
+
       vec_foreach_index (drv_id, dcm->drv)
 	{
 	  key.drv_id = drv_id;
 	  val = hash_get (data->session_by_drv_id_and_sa_index, key.val);
-	  s = (struct rte_cryptodev_sym_session *) val;
 
-	  if (!s)
+	  if (!val)
 	    continue;
 
 	  hash_unset (data->session_by_drv_id_and_sa_index, key.val);
-- 
cgit 1.2.3-korg