git.cascardo.info Git - cascardo/ovs.git/commit

author	Ben Pfaff <blp@nicira.com>
	Mon, 16 Sep 2013 21:53:27 +0000 (14:53 -0700)
committer	Ben Pfaff <blp@nicira.com>
	Tue, 17 Sep 2013 20:51:36 +0000 (13:51 -0700)
commit	68542154b46e18a96d871e421dcbfb630c7bf0b0
tree	9ec21695212e0e5f644c448e6763ad7594afb03b	tree \| snapshot
parent	32643a6a2d410099035b413924f3f824d6fbe034	commit \| diff

ofproto-dpif: Fix use-after-free error deleting last bridge.

valgrind reported:

    Invalid read of size 4
       at 0x806ADC1: odp_port_to_ofport (hmap.h:267)
       by 0x8077C05: xlate_receive (ofproto-dpif-xlate.c:523)
       by 0x8073994: handle_miss_upcalls (ofproto-dpif-upcall.c:642)
       by 0x80741AA: udpif_miss_handler (ofproto-dpif-upcall.c:412)
       by 0x56FCC38: start_thread (pthread_create.c:304)
       by 0x735378D: clone (clone.S:130)
     Address 0x786c084 is 4 bytes inside a block of size 16 free'd
       at 0x4D8350C: free (vg_replace_malloc.c:427)
       by 0x8065EDA: close_dpif_backer (ofproto-dpif.c:1094)

The problem is that close_dpif_backer() destroys odp_to_ofport_map and the
associated mutex before it calls udpif_destroy() to stop the forwarding
threads.  This gives the forwarding threads a window in which to try to
use odp_to_ofport_map.

This commit moves the udpif_destroy() call much earlier, solving the
problem.  (The call to udpif_destroy() must follow the call to
drop_key_clear() because drop_key_clear() uses the udpif.)

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>