On Mon, May 16, 2016 at 08:08:01PM -0700, Joe Stringer wrote:
> During udpif_create(), we register callbacks for handling upcalls and
> purging the datapath; however, in the corresponding udpif_destroy() we
> never did this. This could potentially lead to dereference of
> uninitialized memory in the userspace datapath if the main thread
> destroys the udpif then executes an OpenFlow packet-out.
>
> Fixes: e4e74c3a2b9a ("dpif-netdev: Purge all ukeys when reconfigure pmd.")
> Fixes: 623540e4617e ("dpif-netdev: Streamline miss handling.")
> Reported-by: William Tu <u9012...@gmail.com>
> Signed-off-by: Joe Stringer <j...@ovn.org>
> ---
> ofproto/ofproto-dpif-upcall.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
> index 0543c78e8790..8276668c7a50 100644
> --- a/ofproto/ofproto-dpif-upcall.c
> +++ b/ofproto/ofproto-dpif-upcall.c
> @@ -434,6 +434,9 @@ udpif_destroy(struct udpif *udpif)
> {
> udpif_stop_threads(udpif);
>
> + dpif_register_dp_purge_cb(udpif->dpif, NULL, udpif);
> + dpif_register_upcall_cb(udpif->dpif, NULL, udpif);
> +
Good catch.
Acked-by: Ben Pfaff <b...@ovn.org>
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
