[ovs-dev] [PATCH] pinctrl: Fix crash on buffered packets hmap double remove.

[Ben Pfaff]

On Mon, Nov 12, 2018 at 04:04:20PM +0100, Lorenzo Bianconi wrote:
> > 'destroy_buffered_packets()' removes the hmap node which was
> > already removed by 'HMAP_FOR_EACH_POP()' producing following
> > crash log:
> > 
> >     Invalid read of size 8
> >         at 0x134EDB: hmap_remove (hmap.h:287)
> >         by 0x134EDB: destroy_buffered_packets (pinctrl.c:237)
> >         by 0x13AB3B: destroy_buffered_packets_map (pinctrl.c:246)
> >         by 0x13AB3B: pinctrl_destroy (pinctrl.c:1804)
> >         by 0x12C0CF: main (ovn-controller.c:916)
> >     Address 0x8 is not stack'd, malloc'd or (recently) free'd
> > 
> > Could be captured by check-valgrind on the following test:
> >     '2720. ovn -- IP packet buffering'
> > 
> > CC: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
> > Fixes: d7abfe39cfd2 ("OVN: add buffering support for ip packets")
> > Signed-off-by: Ilya Maximets <i.maximets at samsung.com>
> > ---
> >  ovn/controller/pinctrl.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/ovn/controller/pinctrl.c b/ovn/controller/pinctrl.c
> > index e3ee516e4..21454ab47 100644
> > --- a/ovn/controller/pinctrl.c
> > +++ b/ovn/controller/pinctrl.c
> > @@ -241,8 +241,8 @@ destroy_buffered_packets(struct buffered_packets *bp)
> >  static void
> >  destroy_buffered_packets_map(void)
> >  {
> > -    struct buffered_packets *bp;
> > -    HMAP_FOR_EACH_POP (bp, hmap_node, &buffered_packets_map) {
> > +    struct buffered_packets *bp, *next;
> > +    HMAP_FOR_EACH_SAFE (bp, next, hmap_node, &buffered_packets_map) {
> >          destroy_buffered_packets(bp);
> >      }
> >      hmap_destroy(&buffered_packets_map);
> > -- 
> > 2.17.1
> > 
> 
> Acked-by: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>

Thanks Ilya and Lorenzo, I applied this to master.