[ovs-git] [ovn-org/ovn] 9d6a88: binding: Cleanup gateway port local binding in run...

Dumitru Ceara noreply at github.com
Tue Nov 24 13:32:26 UTC 2020


  Branch: refs/heads/branch-20.06
  Home:   https://github.com/ovn-org/ovn
  Commit: 9d6a8827f42dd3421e933ef051f215a2230e60f8
      https://github.com/ovn-org/ovn/commit/9d6a8827f42dd3421e933ef051f215a2230e60f8
  Author: Dumitru Ceara <dceara at redhat.com>
  Date:   2020-11-24 (Tue, 24 Nov 2020)

  Changed paths:
    M controller/binding.c

  Log Message:
  -----------
  binding: Cleanup gateway port local binding in runtime data.

When a port binding of type "l3gateway" is claimed its remote peer
port_binding is also stored in local_datapath.peer_ports[].remote.

If the remote peer port_binding is deleted first (i.e., before the local
"l3gateway" one) then we need to remove the complete
local_datapath.peer_ports[] entry in order to avoid ending up using
dangling pointers to already freed port bindings.

Also, properly reset local_datapath->has_local_l3gateway in
remove_pb_from_local_datapath().

Ilya reported this issue found by AddressSanitizer during his testing:

==1816017==ERROR: AddressSanitizer: heap-use-after-free on address 0x6140000cb170 at pc 0x0000005ab574 bp 0x7fff68925a30 sp 0x7fff68925a28
READ of size 8 at 0x6140000cb170 thread T0
    #0 0x5ab573 in put_replace_chassis_mac_flows git/ovn/controller/physical.c:550:9
    #1 0x5a65eb in consider_port_binding git/ovn/controller/physical.c:1168:13
    #2 0x5a8764 in physical_run git/ovn/controller/physical.c:1607:9
    #3 0x5a0064 in flow_output_physical_flow_changes_handler git/ovn/controller/ovn-controller.c:2127:9
    #4 0x5db423 in engine_compute git/ovn/lib/inc-proc-eng.c:306:18
    #5 0x5dae1f in engine_run_node git/ovn/lib/inc-proc-eng.c:352:14
    #6 0x5dac74 in engine_run git/ovn/lib/inc-proc-eng.c:377:9
    #7 0x59ad64 in main git/ovn/controller/ovn-controller.c
    #8 0x7f39fa6491a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
    #9 0x480b2d in _start (git/ovn/controller/ovn-controller+0x480b2d)

0x6140000cb170 is located 304 bytes inside of 408-byte region [0x6140000cb040,0x6140000cb1d8)
freed by thread T0 here:
    #0 0x520d07 in free (git/ovn/controller/ovn-controller+0x520d07)
    #1 0x712de7 in ovsdb_idl_db_track_clear git/ovs/lib/ovsdb-idl.c:1984:21
    #2 0x59b5cd in main git/ovn/controller/ovn-controller.c:2762:9
    #3 0x7f39fa6491a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)

Reported-by: Ilya Maximets <i.maximets at ovn.org>
Fixes: 354bdba51abf ("ovn-controller: I-P for SB port binding and OVS interface in runtime_data.")
Signed-off-by: Dumitru Ceara <dceara at redhat.com>

(cherry-picked from master commit 2ba8b950ad1497e52eb46086c928f0124b8bc357)




More information about the git mailing list