ofproto-dpif: Fix use-after-free error deleting last bridge.

valgrind reported:

    Invalid read of size 4
       at 0x806ADC1: odp_port_to_ofport (hmap.h:267)
       by 0x8077C05: xlate_receive (ofproto-dpif-xlate.c:523)
       by 0x8073994: handle_miss_upcalls (ofproto-dpif-upcall.c:642)
       by 0x80741AA: udpif_miss_handler (ofproto-dpif-upcall.c:412)
       by 0x56FCC38: start_thread (pthread_create.c:304)
       by 0x735378D: clone (clone.S:130)
     Address 0x786c084 is 4 bytes inside a block of size 16 free'd
       at 0x4D8350C: free (vg_replace_malloc.c:427)
       by 0x8065EDA: close_dpif_backer (ofproto-dpif.c:1094)

The problem is that close_dpif_backer() destroys odp_to_ofport_map and the
associated mutex before it calls udpif_destroy() to stop the forwarding
threads.  This gives the forwarding threads a window in which to try to
use odp_to_ofport_map.

This commit moves the udpif_destroy() call much earlier, solving the
problem.  (The call to udpif_destroy() must follow the call to
drop_key_clear() because drop_key_clear() uses the udpif.)

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>

diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index b5c9c93..8945b00 100644 (file)
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -1091,13 +1091,14 @@ close_dpif_backer(struct dpif_backer *backer)
     drop_key_clear(backer);
     hmap_destroy(&backer->drop_keys);
 
+    udpif_destroy(backer->udpif);
+
     simap_destroy(&backer->tnl_backers);
     ovs_rwlock_destroy(&backer->odp_to_ofport_lock);
     hmap_destroy(&backer->odp_to_ofport_map);
     node = shash_find(&all_dpif_backers, backer->type);
     free(backer->type);
     shash_delete(&all_dpif_backers, node);
-    udpif_destroy(backer->udpif);
     dpif_close(backer->dpif);
 
     ovs_assert(hmap_is_empty(&backer->subfacets));