[ovs-dev] [PATCH] ovs-rcu: Avoid flushing callbacks during postponing.

Ilya Maximets i.maximets at ovn.org
Thu Jun 11 08:54:24 UTC 2020 

On 6/10/20 9:37 PM, Ilya Maximets wrote:
> ovsrcu_flush_cbset() call during ovsrcu_postpone() could cause
> use after free in case the caller sets new pointer only after
> postponing free for the old one:
> 
>  ------------------  ------------------  -------------------
>  Thread 1            Thread 2            RCU Thread
>  ------------------  ------------------  -------------------
>  pointer = A
> 
>  ovsrcu_quiesce():
>   thread->seqno = 30
>   global_seqno = 31
>   quiesced
> 
>  read pointer A
>  postpone(free(A)):
>    flush cbset
>                                          pop flushed_cbsets
>                                          ovsrcu_synchronize:
>                                            target_seqno = 31
>                      ovsrcu_quiesce():
>                       thread->seqno = 31
>                       global_seqno = 32
>                       quiesced
> 
>                      read pointer A
>                      use pointer A
> 
>                      ovsrcu_quiesce():
>                       thread->seqno = 32
>                       global_seqno = 33
>                       quiesced
> 
>                      read pointer A
>  pointer = B
> 
>  ovsrcu_quiesce():
>   thread->seqno = 33
>   global_seqno = 34
>   quiesced
> 
>                                          target_seqno exceeded
>                                          by all threads
>                                          call cbs to free A
>                      use pointer A
>                      (use after free)
>  -----------------------------------------------------------
> 
> Fix that by using dynamically re-allocated array without flushing
> to the global flushed_cbsets until writer enters quiescent state.
> 
> Fixes: 0f2ea84841e1 ("ovs-rcu: New library.")
> Reported-by: Linhaifeng <haifeng.lin at huawei.com>
> Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2020-June/371265.html
> Acked-by: Ben Pfaff <blp at ovn.org>
> Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
> ---
> 
> 'Reported-at' tag pointed to v2 of the patch from Linhaifeng, since it
> contains a main discussion.  Also Linhaifeng added to a list of people
> who provided valuable bug reports and suggestions.
> 
> This patch is already acked, so I will just test it a little bit more
> and apply.
> 
>  AUTHORS.rst   |  1 +
>  lib/ovs-rcu.c | 17 ++++++++++++-----
>  2 files changed, 13 insertions(+), 5 deletions(-)
> 

Thanks, Linhaifeng and Ben!
Applied to master and backported down to 2.5.

Best regards, Ilya Maximets.

More information about the dev mailing list