ofproto-dpif: Discard any flow_miss_batches before destroy a ofproto

Commit dd2e44f835fac8 fixed a similar race conditions w.r.t.
removal of 'ofproto', but reintroduced this bug. While 'ofproto'
is being removed, the existing flow_miss_batches may still contain
references to the to be removed 'ofproto', causing access to freed
memory.

Bug #1202234

Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Alex Wang <alexw@nicira.com>

diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
index 7ec7e8d..6adc78e 100644 (file)
--- a/ofproto/ofproto-dpif-upcall.c
+++ b/ofproto/ofproto-dpif-upcall.c
@@ -224,8 +224,8 @@ void
 udpif_synchronize(struct udpif *udpif)
 {
     /* This is stronger than necessary.  It would be sufficient to ensure
-     * (somehow) that each handler and revalidator thread had passed through
-     * its main loop once. */
+     * (somehow) that each handler thread had passed through its main
+     * loop once. */
     size_t n_handlers = udpif->n_handlers;
     if (n_handlers) {
         udpif_recv_set(udpif, 0, false);

diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index cf421ae..ede7533 100644 (file)
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -1411,6 +1411,10 @@ destruct(struct ofproto *ofproto_)
      * to the ofproto or anything in it. */
     udpif_synchronize(ofproto->backer->udpif);
 
+    /* Discard any flow_miss_batches queued up for 'ofproto', avoiding a
+     * use-after-free error. */
+    udpif_revalidate(ofproto->backer->udpif);
+
     hmap_remove(&all_ofproto_dpifs, &ofproto->all_ofproto_dpifs_node);
 
     OFPROTO_FOR_EACH_TABLE (table, &ofproto->up) {