kern/41069: CIOCNCRYPTRETM ioctl can panic kernel or cause hangs

[tls%NetBSD.ORG@localhost]

>Number:         41069
>Category:       kern
>Synopsis:       CIOCNCRYPTRETM ioctl can panic LOCKDEBUG kernel or hang
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar 24 23:20:01 +0000 2009
>Originator:     Thor Lancelot Simon
>Release:        NetBSD 5.0_RC2
>Organization:
>Environment:
        
        
System: NetBSD panix5.panix.com 5.0_RC2 NetBSD 5.0_RC2 (PANIX-XEN3U-USER-pae) 
#1: Sat Feb 21 20:24:11 EST 2009 
root%juggler.panix.com@localhost:/misc1/obj/misc2/devel/netbsd/5.0-RC2/src/sys/arch/i386/compile/PANIX-XEN3U-USER-pae
 i386
Architecture: i386
Machine: i386
>Description:
        The CIOCNCRYPTRETM ioctl on /dev/crypto can cause copyout() to be
        called with the crypto mutex -- a spin mutex -- held.  This causes
        a LOCKDEBUG kernel to panic, and can cause a non-LOCKDEBUG kernel
        to hang.
>How-To-Repeat:
        Submit a lot of requests to /dev/crypto with a test rig.  Find all
        your old dumb bugs, like this one.
>Fix:
        Change CIOCNCRYPTRETM to dequeue the specified number of requests
        into a temporary datastructure -- like the one that already exists
        for delayed free! -- with the lock held, then do everything else,
        including copyout(), after releasing the lock.  How did I ever miss
        this when adding the delayed-free logic?

>Unformatted:
 non-LOCKDEBUG kernel.