[ovs-dev] [PATCH] ofproto:fix use-after-free

guohongzhi (A) guohongzhi1 at huawei.com
Mon Mar 9 02:35:56 UTC 2020

Only RCU may not be sufficient. The deletion of rule and group uses both RCU and reference accounting, but the deletion of ofproto uses only RCU.

The execution process as follows:
ofproto_destroy=>p->ofproto_class->destruct=>ofproto_rule_delete=>ofproto_rule_unref (suppose rule-A’s reference accounting not reach the last, rule-A will not be added to deffered deletion list )=>…=>ofproto_destroy(The ofproto will be added to deferred deletion list directly in the last line of the function)=>soon after,rule-A’s reference accounting reach the last, it will be added to deferred deletion list after oproto. So, ofproto will be released before the rule-A. When the rule_destroy_cb is executed, the internal access of ofproto will cause use-after-free.

-----Original Message-----
From: Ben Pfaff [mailto:blp at ovn.org] 
Sent: 2020年3月7日 4:58
To: guohongzhi (A) <guohongzhi1 at huawei.com>
Cc: dev at openvswitch.org; numans at ovn.org; Zhoujingbin (Robin, Russell Lab) <zhoujingbin at huawei.com>; chenchanghu <chenchanghu at huawei.com>; Lilijun (Jerry) <jerry.lilijun at huawei.com>
Subject: Re: [PATCH] [ovs-dev]ofproto:fix use-after-free

On Fri, Mar 06, 2020 at 09:05:55PM +0800, guohongzhi wrote:
> ASAN report use-after-free when destroy ofproto_rule, the 
> rule->ofproto has freed in ofproto_destroy.
> Add ref_count for ofproto to avoid use-after-free when destroy 
> ofproto_rule adn group.
> Signed-off-by: guohongzhi <guohongzhi1 at huawei.com>

Why isn't RCU sufficient to avoid use-after-free?

More information about the dev mailing list