[ovs-dev] [PATCH 1/3] dpif-netdev: Fix cmap node use after free on flow disassociation.

Ilya Maximets i.maximets at samsung.com
Fri Oct 19 13:51:13 UTC 2018


Data pointed by cmap node must not be freed while iterating.
ovsrcu_postpone should be used instead.

CC: Finn Christensen <fc at napatech.com>
Fixes: e8a2b5bf92bb ("netdev-dpdk: implement flow offload with rte flow")
Signed-off-by: Ilya Maximets <i.maximets at samsung.com>
---
 lib/dpif-netdev.c | 2 +-
 lib/netdev-dpdk.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index c44c417d3..3f7acb5dd 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -2136,7 +2136,7 @@ megaflow_to_mark_disassociate(const ovs_u128 *mega_ufid)
         if (ovs_u128_equals(*mega_ufid, data->mega_ufid)) {
             cmap_remove(&flow_mark.megaflow_to_mark,
                         CONST_CAST(struct cmap_node *, &data->node), hash);
-            free(data);
+            ovsrcu_postpone(free, data);
             return;
         }
     }
diff --git a/lib/netdev-dpdk.c b/lib/netdev-dpdk.c
index 78a981d8f..d2b392f61 100644
--- a/lib/netdev-dpdk.c
+++ b/lib/netdev-dpdk.c
@@ -4043,7 +4043,7 @@ ufid_to_rte_flow_disassociate(const ovs_u128 *ufid) {
         if (ovs_u128_equals(*ufid, data->ufid)) {
             cmap_remove(&ufid_to_rte_flow,
                         CONST_CAST(struct cmap_node *, &data->node), hash);
-            free(data);
+            ovsrcu_postpone(free, data);
             return;
         }
     }
-- 
2.17.1



More information about the dev mailing list