[ovs-dev] [patch v6 1/3] conntrack: Fix race for NAT cleanup.

Darrell Ball dlu998 at gmail.com
Fri Mar 15 23:40:24 UTC 2019


On Fri, Mar 15, 2019 at 4:31 PM Ben Pfaff <blp at ovn.org> wrote:

> On Fri, Mar 15, 2019 at 04:17:34PM -0700, Darrell Ball wrote:
> > On Fri, Mar 15, 2019 at 3:56 PM Ben Pfaff <blp at ovn.org> wrote:
> >
> > > On Fri, Mar 15, 2019 at 03:01:18PM -0700, Darrell Ball wrote:
> > > > Reference lists are not fully protected during cleanup of
> > > > NAT connections where the bucket lock is transiently not held during
> > > > list traversal.  This can lead to referencing freed memory during
> > > > cleaning from multiple contexts.  Fix this by protecting with
> > > > the existing 'cleanup' mutex in the missed cases where 'conn_clean()'
> > > > is called.  'conntrack_flush()' is converted to expiry list traversal
> > > > to support the proper bucket level protection with the 'cleanup'
> mutex.
> > > >
> > > > The NAT exhaustion case cleanup in 'conn_not_found()' is also
> modified
> > > > to avoid the same issue.
> > > >
> > > > Fixes: 286de2729955 ("dpdk: Userspace Datapath: Introduce NAT
> Support.")
> > > > Reported-by: solomon <liwei.solomon at gmail.com>
> > > > Reported-at:
> > > https://mail.openvswitch.org/pipermail/ovs-dev/2019-March/357056.html
> > > > Tested-by: solomon <liwei.solomon at gmail.com>
> > > > Signed-off-by: Darrell Ball <dlu998 at gmail.com>
> > > > ---
> > > >
> > > > This patch is targeted for earlier releases as new RCU patches
> > > > inherently don't have this race.
> > > >
> > > > Backport to 2.8.
> > >
> > > Thanks.  I applied this to master, branch-2.11, and branch-2.10.  2.9
> > > and 2.8 had conflicts.
> > >
> >
> > I will create the backport patches for 2.9 and 2.8.
> >
> > Regarding branch 2.8 - it has diverged quite a bit in general from branch
> > >=2.9.
> > This is because of some small features/cosmetic changes that went into
> 2.9.
> > One option would be to bring 2.8 into sync with 2.9 in one patch.
> > Alternatively,
> > backport all dependencies  and fixes separately. Thoughts ?
>
> Usually it's better to backport them separately, because it makes it
> clear at a glance what happened in a list of patches.


yep


> But that can
> sometimes be a lot of trouble, and in that case a single patch can make
> sense.
>

It is the "lot of trouble" part I am trying to avoid. Let me see.


More information about the dev mailing list