[ovs-dev] [PATCH branch-2.12] extend-table: Fix use after free in ovn_extend_table_clear.
Dumitru Ceara
dceara at redhat.com
Fri Feb 14 08:21:57 UTC 2020
CC: Han Zhou <hzhou at ovn.org>
Fixes: d5001334f0f6 ("extend-table: Fix reusing group/meter by multiple logical flows.")
Reported-by: Ben Pfaff <blp at ovn.org>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2020-February/367647.html
Signed-off-by: Dumitru Ceara <dceara at redhat.com>
(cherry picked from ovn commit 22d9a6f35551e3078394d5f8849055f43638e0d1)
---
ovn/lib/extend-table.c | 38 ++++++++++++++++++++++++--------------
1 file changed, 24 insertions(+), 14 deletions(-)
diff --git a/ovn/lib/extend-table.c b/ovn/lib/extend-table.c
index 18e16f7..95768f1 100644
--- a/ovn/lib/extend-table.c
+++ b/ovn/lib/extend-table.c
@@ -25,6 +25,10 @@
VLOG_DEFINE_THIS_MODULE(extend_table);
+static void
+ovn_extend_table_delete_desired(struct ovn_extend_table *table,
+ struct ovn_extend_table_lflow_to_desired *l);
+
void
ovn_extend_table_init(struct ovn_extend_table *table)
{
@@ -173,8 +177,7 @@ ovn_extend_table_clear(struct ovn_extend_table *table, bool existing)
if (!existing) {
struct ovn_extend_table_lflow_to_desired *l, *l_next;
HMAP_FOR_EACH_SAFE (l, l_next, hmap_node, &table->lflow_to_desired) {
- hmap_remove(&table->lflow_to_desired, &l->hmap_node);
- free(l);
+ ovn_extend_table_delete_desired(table, l);
}
}
@@ -214,18 +217,10 @@ ovn_extend_table_remove_existing(struct ovn_extend_table *table,
ovn_extend_table_info_destroy(existing);
}
-/* Remove entries in desired table that are created by the lflow_uuid */
-void
-ovn_extend_table_remove_desired(struct ovn_extend_table *table,
- const struct uuid *lflow_uuid)
+static void
+ovn_extend_table_delete_desired(struct ovn_extend_table *table,
+ struct ovn_extend_table_lflow_to_desired *l)
{
- struct ovn_extend_table_lflow_to_desired *l =
- ovn_extend_table_find_desired_by_lflow(table, lflow_uuid);
-
- if (!l) {
- return;
- }
-
hmap_remove(&table->lflow_to_desired, &l->hmap_node);
struct ovn_extend_table_lflow_ref *r, *next_r;
LIST_FOR_EACH_SAFE (r, next_r, list_node, &l->desired) {
@@ -233,7 +228,7 @@ ovn_extend_table_remove_desired(struct ovn_extend_table *table,
ovn_extend_info_del_lflow_ref(r);
if (hmap_is_empty(&e->references)) {
VLOG_DBG("%s: %s, "UUID_FMT, __func__,
- e->name, UUID_ARGS(lflow_uuid));
+ e->name, UUID_ARGS(&l->lflow_uuid));
hmap_remove(&table->desired, &e->hmap_node);
if (e->new_table_id) {
bitmap_set0(table->table_ids, e->table_id);
@@ -244,6 +239,21 @@ ovn_extend_table_remove_desired(struct ovn_extend_table *table,
free(l);
}
+/* Remove entries in desired table that are created by the lflow_uuid */
+void
+ovn_extend_table_remove_desired(struct ovn_extend_table *table,
+ const struct uuid *lflow_uuid)
+{
+ struct ovn_extend_table_lflow_to_desired *l =
+ ovn_extend_table_find_desired_by_lflow(table, lflow_uuid);
+
+ if (!l) {
+ return;
+ }
+
+ ovn_extend_table_delete_desired(table, l);
+}
+
static struct ovn_extend_table_info*
ovn_extend_info_clone(struct ovn_extend_table_info *source)
{
--
1.8.3.1
More information about the dev
mailing list