Crash because that: Callback func in polling thread access invalid address.

[tony-caotong]

When qatdriver configure to Polling mode. Callback func in polling thread access invalid address, the address value point to a temporary variable in the main thread. which one is already changed by function __longjmp(). Here is the callstack:

Program terminated with signal 11, Segmentation fault. #0 ASYNC_WAIT_CTX_get_fd (ctx=, key=0x7fda03a6db46, fd=fd@entry=0x7fda01fa6c9c, custom_data=custom_data@entry=0x7fda01fa6ca0) at crypto/async/async_wait.c:73 73 if (curr->del) { Missing separate debuginfos, use: debuginfo-install bzip2-libs-1.0.6-13.el7.x86_64 elfutils-libelf-0.176-5.el7.x86_64 elfutils-libs-0.176-5.el7.x86_64 glibc-2.17-317.el7.x86_64 libattr-2.4.46-12.el7.x86_64 libcap-2.22-8.el7.x86_64 libgcc-4.8.5-44.el7.x86_64 nss-softokn-freebl-3.16.2.3-13.el7_1.x86_64 pcre-8.32-15.el7.x86_64 systemd-libs-219-78.el7_9.2.x86_64 xz-libs-5.1.2-12alpha.el7.x86_64 zlib-1.2.7-15.el7.x86_64 (gdb) bt #0 ASYNC_WAIT_CTX_get_fd (ctx=, key=0x7fda03a6db46, fd=fd@entry=0x7fda01fa6c9c, custom_data=custom_data@entry=0x7fda01fa6ca0) at crypto/async/async_wait.c:73 #1 0x00007fda03a5c82f in qat_wake_job (job=, jobStatus=) at qat_events.c:334 #2 0x00007fda037bf26c in LacPke_MsgCallback () from /opt/quickassist/lib/libqat_s.so #3 0x00007fda037de617 in adf_user_notify_msgs_poll () from /opt/quickassist/lib/libqat_s.so #4 0x00007fda037da618 in adf_pollRing () from /opt/quickassist/lib/libqat_s.so #5 0x00007fda037da977 in icp_adf_pollInstance () from /opt/quickassist/lib/libqat_s.so #6 0x00007fda037d3b99 in icp_sal_CyPollInstance () from /opt/quickassist/lib/libqat_s.so #7 0x00007fda03a5e419 in qat_timer_poll_func (ih=) at qat_polling.c:254 #8 0x00007fda06babea5 in start_thread () from /lib64/libpthread.so.0 #9 0x00007fda05aa796d in clone () from /lib64/libc.so.6

variable job in frame 2 is a invaild address.

I saw the codes of 'openssl', 'qat_engine' and 'qatdriver', found the reason is a bug in function: 'qat_dh_compute_key', please confirm.

1. first, the address for temporary variable 'op_done' is transferd to qatdriver polling thread using function 'cpaCyDhKeyGenPhase2Secet()',

2. then, qat_pause_job(), if using API longjmp() in OPENSSL::async_fibre_swapcontext(), all the values in callstack memory would be stored and the value of 'op_done' point to would be changed.

3. now, In the polling thread, it will access a invalid address. then Segmentation fault.

i also found that the other code have the same problem like 'qat_dh_generate_key', 'qat_dsa_do_sign' and so on.

I found this problem using QAT_ENGINE: 0.5.46, I found the master code have the same problem. I use qatdriver: 1.7.l.4.10.0.14

please confirm if it's a bug or I don't run it using a right config, thanks.