[ovs-dev] [PATCH] pinctrl: Fix crash on buffered packets hmap double remove.

Ilya Maximets i.maximets at samsung.com
Mon Nov 12 12:19:57 UTC 2018


'destroy_buffered_packets()' removes the hmap node which was
already removed by 'HMAP_FOR_EACH_POP()' producing following
crash log:

    Invalid read of size 8
        at 0x134EDB: hmap_remove (hmap.h:287)
        by 0x134EDB: destroy_buffered_packets (pinctrl.c:237)
        by 0x13AB3B: destroy_buffered_packets_map (pinctrl.c:246)
        by 0x13AB3B: pinctrl_destroy (pinctrl.c:1804)
        by 0x12C0CF: main (ovn-controller.c:916)
    Address 0x8 is not stack'd, malloc'd or (recently) free'd

Could be captured by check-valgrind on the following test:
    '2720. ovn -- IP packet buffering'

CC: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
Fixes: d7abfe39cfd2 ("OVN: add buffering support for ip packets")
Signed-off-by: Ilya Maximets <i.maximets at samsung.com>
---
 ovn/controller/pinctrl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ovn/controller/pinctrl.c b/ovn/controller/pinctrl.c
index e3ee516e4..21454ab47 100644
--- a/ovn/controller/pinctrl.c
+++ b/ovn/controller/pinctrl.c
@@ -241,8 +241,8 @@ destroy_buffered_packets(struct buffered_packets *bp)
 static void
 destroy_buffered_packets_map(void)
 {
-    struct buffered_packets *bp;
-    HMAP_FOR_EACH_POP (bp, hmap_node, &buffered_packets_map) {
+    struct buffered_packets *bp, *next;
+    HMAP_FOR_EACH_SAFE (bp, next, hmap_node, &buffered_packets_map) {
         destroy_buffered_packets(bp);
     }
     hmap_destroy(&buffered_packets_map);
-- 
2.17.1



More information about the dev mailing list