[ovs-git] [openvswitch/ovs] 8bfe80: ovs-rcu: Avoid flushing callbacks during postponing.

Ilya Maximets noreply at github.com
Thu Jun 11 08:48:41 UTC 2020


  Branch: refs/heads/branch-2.8
  Home:   https://github.com/openvswitch/ovs
  Commit: 8bfe80df59d0aaf27a1b741702e1cf83f522a12c
      https://github.com/openvswitch/ovs/commit/8bfe80df59d0aaf27a1b741702e1cf83f522a12c
  Author: Ilya Maximets <i.maximets at ovn.org>
  Date:   2020-06-10 (Wed, 10 Jun 2020)

  Changed paths:
    M AUTHORS.rst
    M lib/ovs-rcu.c

  Log Message:
  -----------
  ovs-rcu: Avoid flushing callbacks during postponing.

ovsrcu_flush_cbset() call during ovsrcu_postpone() could cause
use after free in case the caller sets new pointer only after
postponing free for the old one:

 ------------------  ------------------  -------------------
 Thread 1            Thread 2            RCU Thread
 ------------------  ------------------  -------------------
 pointer = A

 ovsrcu_quiesce():
  thread->seqno = 30
  global_seqno = 31
  quiesced

 read pointer A
 postpone(free(A)):
   flush cbset
                                         pop flushed_cbsets
                                         ovsrcu_synchronize:
                                           target_seqno = 31
                     ovsrcu_quiesce():
                      thread->seqno = 31
                      global_seqno = 32
                      quiesced

                     read pointer A
                     use pointer A

                     ovsrcu_quiesce():
                      thread->seqno = 32
                      global_seqno = 33
                      quiesced

                     read pointer A
 pointer = B

 ovsrcu_quiesce():
  thread->seqno = 33
  global_seqno = 34
  quiesced

                                         target_seqno exceeded
                                         by all threads
                                         call cbs to free A
                     use pointer A
                     (use after free)
 -----------------------------------------------------------

Fix that by using dynamically re-allocated array without flushing
to the global flushed_cbsets until writer enters quiescent state.

Fixes: 0f2ea84841e1 ("ovs-rcu: New library.")
Reported-by: Linhaifeng <haifeng.lin at huawei.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2020-June/371265.html
Acked-by: Ben Pfaff <blp at ovn.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>




More information about the git mailing list