[ovs-git] [openvswitch/ovs] 8bfe80: ovs-rcu: Avoid flushing callbacks during postponing.
Ilya Maximets
noreply at github.com
Thu Jun 11 08:48:41 UTC 2020
Branch: refs/heads/branch-2.8
Home: https://github.com/openvswitch/ovs
Commit: 8bfe80df59d0aaf27a1b741702e1cf83f522a12c
https://github.com/openvswitch/ovs/commit/8bfe80df59d0aaf27a1b741702e1cf83f522a12c
Author: Ilya Maximets <i.maximets at ovn.org>
Date: 2020-06-10 (Wed, 10 Jun 2020)
Changed paths:
M AUTHORS.rst
M lib/ovs-rcu.c
Log Message:
-----------
ovs-rcu: Avoid flushing callbacks during postponing.
ovsrcu_flush_cbset() call during ovsrcu_postpone() could cause
use after free in case the caller sets new pointer only after
postponing free for the old one:
------------------ ------------------ -------------------
Thread 1 Thread 2 RCU Thread
------------------ ------------------ -------------------
pointer = A
ovsrcu_quiesce():
thread->seqno = 30
global_seqno = 31
quiesced
read pointer A
postpone(free(A)):
flush cbset
pop flushed_cbsets
ovsrcu_synchronize:
target_seqno = 31
ovsrcu_quiesce():
thread->seqno = 31
global_seqno = 32
quiesced
read pointer A
use pointer A
ovsrcu_quiesce():
thread->seqno = 32
global_seqno = 33
quiesced
read pointer A
pointer = B
ovsrcu_quiesce():
thread->seqno = 33
global_seqno = 34
quiesced
target_seqno exceeded
by all threads
call cbs to free A
use pointer A
(use after free)
-----------------------------------------------------------
Fix that by using dynamically re-allocated array without flushing
to the global flushed_cbsets until writer enters quiescent state.
Fixes: 0f2ea84841e1 ("ovs-rcu: New library.")
Reported-by: Linhaifeng <haifeng.lin at huawei.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2020-June/371265.html
Acked-by: Ben Pfaff <blp at ovn.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
More information about the git
mailing list