[ovs-git] [openvswitch/ovs] 312359: ovs-rcu: Avoid flushing callbacks during postponing.
Ilya Maximets
noreply at github.com
Thu Jun 11 08:47:51 UTC 2020
Branch: refs/heads/branch-2.12
Home: https://github.com/openvswitch/ovs
Commit: 312359a5cd2d93644b735b46d82a71ba520dbab2
https://github.com/openvswitch/ovs/commit/312359a5cd2d93644b735b46d82a71ba520dbab2
Author: Ilya Maximets <i.maximets at ovn.org>
Date: 2020-06-10 (Wed, 10 Jun 2020)
Changed paths:
M AUTHORS.rst
M lib/ovs-rcu.c
Log Message:
-----------
ovs-rcu: Avoid flushing callbacks during postponing.
ovsrcu_flush_cbset() call during ovsrcu_postpone() could cause
use after free in case the caller sets new pointer only after
postponing free for the old one:
------------------ ------------------ -------------------
Thread 1 Thread 2 RCU Thread
------------------ ------------------ -------------------
pointer = A
ovsrcu_quiesce():
thread->seqno = 30
global_seqno = 31
quiesced
read pointer A
postpone(free(A)):
flush cbset
pop flushed_cbsets
ovsrcu_synchronize:
target_seqno = 31
ovsrcu_quiesce():
thread->seqno = 31
global_seqno = 32
quiesced
read pointer A
use pointer A
ovsrcu_quiesce():
thread->seqno = 32
global_seqno = 33
quiesced
read pointer A
pointer = B
ovsrcu_quiesce():
thread->seqno = 33
global_seqno = 34
quiesced
target_seqno exceeded
by all threads
call cbs to free A
use pointer A
(use after free)
-----------------------------------------------------------
Fix that by using dynamically re-allocated array without flushing
to the global flushed_cbsets until writer enters quiescent state.
Fixes: 0f2ea84841e1 ("ovs-rcu: New library.")
Reported-by: Linhaifeng <haifeng.lin at huawei.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2020-June/371265.html
Acked-by: Ben Pfaff <blp at ovn.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
More information about the git
mailing list