On Thu, Apr 09, 2020 at 11:37:39AM -0700, Yifeng Sun wrote: > This patch enhances a system traffic test to prevent regression on > the tunnel metadata table (tun_table) handling with frozen state. > Without a proper fix this test can crash ovs-vswitchd due to a > use-after-free bug on tun_table. > > These are the timed sequence of how this bug is triggered: > > - Adds an OpenFlow rule in OVS that matches Geneve tunnel metadata that > contains a controller action. > - When the first packet matches the aforementioned OpenFlow rule, > during the miss upcall, OVS stores a pointer to the tun_table (that > decodes the Geneve tunnel metadata) in a frozen state and pushes down > a datapath flow into kernel datapath. > - Issues a add-tlv-map command to reprogram the tun_table on OVS. > OVS frees the old tun_table and create a new tun_table. > - A subsequent packet hits the kernel datapath flow again. Since > there is a controller action associated with that flow, it triggers > slow path controller upcall. > - In the slow path controller upcall, OVS derives the tun_table > from the frozen state, which points to the old tun_table that is > already being freed at this time point. > - In order to access the tunnel metadata, OVS uses the invalid > pointer that points to the old tun_table and triggers the core dump. > > Signed-off-by: Yi-Hung Wei <yihung....@gmail.com> > Signed-off-by: Yifeng Sun <pkusunyif...@gmail.com> > Co-authored-by: Yi-Hung Wei <yihung....@gmail.com> > ---
Applied, thanks William _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
