[ovs-dev] [PATCH v3 2/2] system-traffic: Check frozen state handling with TLV map change
William Tu
u9012063 at gmail.com
Fri Apr 10 21:54:41 UTC 2020
On Thu, Apr 09, 2020 at 11:37:39AM -0700, Yifeng Sun wrote:
> This patch enhances a system traffic test to prevent regression on
> the tunnel metadata table (tun_table) handling with frozen state.
> Without a proper fix this test can crash ovs-vswitchd due to a
> use-after-free bug on tun_table.
>
> These are the timed sequence of how this bug is triggered:
>
> - Adds an OpenFlow rule in OVS that matches Geneve tunnel metadata that
> contains a controller action.
> - When the first packet matches the aforementioned OpenFlow rule,
> during the miss upcall, OVS stores a pointer to the tun_table (that
> decodes the Geneve tunnel metadata) in a frozen state and pushes down
> a datapath flow into kernel datapath.
> - Issues a add-tlv-map command to reprogram the tun_table on OVS.
> OVS frees the old tun_table and create a new tun_table.
> - A subsequent packet hits the kernel datapath flow again. Since
> there is a controller action associated with that flow, it triggers
> slow path controller upcall.
> - In the slow path controller upcall, OVS derives the tun_table
> from the frozen state, which points to the old tun_table that is
> already being freed at this time point.
> - In order to access the tunnel metadata, OVS uses the invalid
> pointer that points to the old tun_table and triggers the core dump.
>
> Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
> Signed-off-by: Yifeng Sun <pkusunyifeng at gmail.com>
> Co-authored-by: Yi-Hung Wei <yihung.wei at gmail.com>
> ---
Applied, thanks
William
More information about the dev
mailing list