git.cascardo.info Git - cascardo/ovs.git/commit

author	Ben Pfaff <blp@nicira.com>
	Tue, 25 Feb 2014 16:01:01 +0000 (08:01 -0800)
committer	Ben Pfaff <blp@nicira.com>
	Tue, 25 Feb 2014 16:50:58 +0000 (08:50 -0800)
commit	dd2e44f835fac8c2df99f84c54250c3ca981f2f5
tree	28586432eaf34e1278991766853d947fd73ddce1	tree \| snapshot
parent	19133b5df5c91f7a61a318c83d4ed79755f367d6	commit \| diff

ofproto-dpif: Complete all packet translations before freeing an ofproto.

The following scenario can occur:

   1. Handler thread grabs a pointer to an ofproto in handle_upcalls().

   2. Main thread removes ofproto and destroys it in destruct().

   3. Handler thread uses pointer to ofproto and accesses freed memory.
      BOOM!

Each individual step above happens under the xlate_rwlock, but the ofproto
pointer is retained from step 1 to step 3, hence the problem.  This commit
fixes the problem by ensuring that after an ofproto is removed but before
it is destroyed, all packet translations get pushed all the way through
the upcall handler pipeline.  (No new packet translations can get a pointer
to the removed ofproto.)

Bug #1200351.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Alex Wang <alexw@nicira.com>

ofproto/ofproto-dpif-upcall.c		diff \| blob \| history
ofproto/ofproto-dpif-upcall.h		diff \| blob \| history
ofproto/ofproto-dpif.c		diff \| blob \| history