[ovs-dev] [PATCH v1] ofproto: Fix OVS crash when packets hit Openflow rules with certain combinations of nested actions

Anil Kumar anilkumar.k at altencalsoftlabs.com
Wed Aug 28 10:24:58 UTC 2019

OVS crashes when a packet sent with action set to OFPP_TABLE hits Openflow
rules with conntrack and learn actions.

For example:
The crash can be triggered by installing the following Open flow rules and
sending packet with action set to OFPP_TABLE

1. ovs-ofctl -OOpenflow13 add-flow br-int "table=0, priority=50, \
   ct_state=-trk,ip, in_port=10 actions=ct(table=0)"

2. ovs-ofctl -OOpenflow13 add-flow br-int "table=0, priority=50, \
   ct_state=+trk,ip, in_port=10 actions=ct(commit),resubmit(,1)"

3. ovs-ofctl -OOpenflow13 add-flow br-int "table=1 \
   actions=learn(table=2,NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:NXM_OF_IN_PORT[]->NXM_NX_REG0[0..15], \

4. Send a packet with output as OFPP_TABLE
   ovs-ofctl -OOpenflow13 packet-out br-int 'in_port=10 \
   packet=505400000007101111111111080045000028000000004006f97cc0a80001c0a800020008000a0000000000000000500200002e7d0000, \

The processing code path results in the same thread context attempting to
acquire a mutex that it already holds. Since the mutex is of error checking
type this situation is considered fatal and OVS aborts. The crash isn’t
limited to only the above combination of actions

Signed-off-by: Anil Kumar <anilkumar.k at altencalsoftlabs.com>
 ofproto/ofproto.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
index 12758a3..ff7d90b 100644
--- a/ofproto/ofproto.c
+++ b/ofproto/ofproto.c
@@ -302,7 +302,7 @@ static size_t n_ofproto_classes;
 static size_t allocated_ofproto_classes;
 /* Global lock that protects all flow table operations. */
-struct ovs_mutex ofproto_mutex = OVS_MUTEX_INITIALIZER;
+struct ovs_mutex ofproto_mutex;
 unsigned ofproto_flow_limit = OFPROTO_FLOW_LIMIT_DEFAULT;
 unsigned ofproto_max_idle = OFPROTO_MAX_IDLE_DEFAULT;
@@ -337,6 +337,8 @@ ofproto_init(const struct shash *iface_hints)
     struct shash_node *node;
     size_t i;
+    ovs_mutex_init_recursive(&ofproto_mutex);
     /* Make a local copy, since we don't own 'iface_hints' elements. */

More information about the dev mailing list