[ovs-git] [openvswitch/ovs] b9de30: ovs-actions.xml: Fix a typo in the description of ...

Ilya Maximets noreply at github.com
Thu Jun 11 08:45:53 UTC 2020 

  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: b9de30d350879533ce3ffd6f8fb946a1c9c9f6cd
      https://github.com/openvswitch/ovs/commit/b9de30d350879533ce3ffd6f8fb946a1c9c9f6cd
  Author: Numan Siddique <numans at ovn.org>
  Date:   2020-06-10 (Wed, 10 Jun 2020)

  Changed paths:
    M lib/ovs-actions.xml

  Log Message:
  -----------
  ovs-actions.xml: Fix a typo in the description of check_pkt_larger.

Signed-off-by: Numan Siddique <numans at ovn.org>
Acked-by: William Tu <u9012063 at gmail.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 5042815d8fe58e19b58e77d4d87b59951f6fdeb8
      https://github.com/openvswitch/ovs/commit/5042815d8fe58e19b58e77d4d87b59951f6fdeb8
  Author: Ilya Maximets <i.maximets at ovn.org>
  Date:   2020-06-10 (Wed, 10 Jun 2020)

  Changed paths:
    M AUTHORS.rst
    M lib/ovs-rcu.c

  Log Message:
  -----------
  ovs-rcu: Avoid flushing callbacks during postponing.

ovsrcu_flush_cbset() call during ovsrcu_postpone() could cause
use after free in case the caller sets new pointer only after
postponing free for the old one:

 ------------------  ------------------  -------------------
 Thread 1            Thread 2            RCU Thread
 ------------------  ------------------  -------------------
 pointer = A

 ovsrcu_quiesce():
  thread->seqno = 30
  global_seqno = 31
  quiesced

 read pointer A
 postpone(free(A)):
   flush cbset
                                         pop flushed_cbsets
                                         ovsrcu_synchronize:
                                           target_seqno = 31
                     ovsrcu_quiesce():
                      thread->seqno = 31
                      global_seqno = 32
                      quiesced

                     read pointer A
                     use pointer A

                     ovsrcu_quiesce():
                      thread->seqno = 32
                      global_seqno = 33
                      quiesced

                     read pointer A
 pointer = B

 ovsrcu_quiesce():
  thread->seqno = 33
  global_seqno = 34
  quiesced

                                         target_seqno exceeded
                                         by all threads
                                         call cbs to free A
                     use pointer A
                     (use after free)
 -----------------------------------------------------------

Fix that by using dynamically re-allocated array without flushing
to the global flushed_cbsets until writer enters quiescent state.

Fixes: 0f2ea84841e1 ("ovs-rcu: New library.")
Reported-by: Linhaifeng <haifeng.lin at huawei.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2020-June/371265.html
Acked-by: Ben Pfaff <blp at ovn.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


Compare: https://github.com/openvswitch/ovs/compare/a3db6e473d9f...5042815d8fe5

More information about the git mailing list