Re: [ovs-dev] [PATCH] datapath: use after free flow mask on destroy flow table

Thu, 24 Mar 2022 20:05:32 -0700 

Hi,TongHao and Ilya


I guess this bug was fixed by patch 1f3a090("net: openvswitch: 
introduce common code for flushing flows"),but this patch is not 
for fix bug use-after-free  flow mask
Best regards, Wentao Jia >> On 3/24/22 05:17, Wentao Jia wrote: >> > >> > >> > 
on destroy flow table instance, referenced flow mask may be released >> > too. 
fuction ovs_flow_tbl_destroy(), release flow mask first and then >> > destroy 
flow table instance. this will trigger kernel panic on detroy >> > datapath >> 
> >> > >> > [ 377.647756] kernel BUG at .../datapath/linux/flow_table.c:272! >> 
> [ 377.653794] invalid opcode: 0000 [#1] SMP PTI >> > [ 377.666827] RIP: 
0010:table_instance_flow_free.isra.7+0x148/0x150 >> > [ 377.711465] Call Trace: 
>> > [ 377.715238] <IRQ> >> > [ 377.718964] table_instance_destroy+0xbe/0x160 
[openvswitch] >> > [ 377.722793] destroy_dp_rcu+0x12/0x40 [openvswitch] >> > [ 
377.726651] rcu_process_callbacks+0x297/0x460 >> > [ 377.736795] 
__do_softirq+0xe3/0x30a >> > [ 377.740654] ? ktime_get+0x36/0xa0 >> > [ 
377.744490] irq_exit+0x100/0x110 >> > [ 377.748514] 
smp_apic_timer_interrupt+0x74/0x140 >> > [ 377.752817] 
apic_timer_interrupt+0xf/0x20 >> > [ 377.758802] </IRQ> >> > >> > >> > Fixes: 
6d1cf7f3e ("datapath: fix possible memleak on destroy >> > flow-table") >for 
linux upstream, fix tag: >Fixes: 50b0e61b32ee ("net: openvswitch: fix possible 
memleak on >destroy flow-table") >> > >> > Signed-off-by: Wentao Jia 
<wentao....@easystack.cn> >> > Signed-off-by: Chuanjie Zeng 
<chuanjie.z...@easystack.cn> >> > --- >> >> Hi, Wentao Jia. Thanks for the 
patch! >> >> Please, send it to the mainline linux kernel ('netdev' mailing 
list, >> keeping the ovs-dev in CC) using the linux kernel process for >> 
submitting patches. >> >> When it is accepted to the upstream kernel, it can be 
backported to >> the OOT kernel module in OVS repository. >> >> Best regards, 
Ilya Maximets. >> >> > datapath/flow_table.c | 2 +- >> > 1 file changed, 1 
insertion(+), 1 deletion(-) >> > >> > >> > diff --git a/datapath/flow_table.c 
b/datapath/flow_table.c >> > index 650338fb0..b2f4b1108 100644 >> > --- 
a/datapath/flow_table.c >> > +++ b/datapath/flow_table.c >> > @@ -415,8 +415,8 
@@ void ovs_flow_tbl_destroy(struct flow_table *table) >> > struct 
table_instance *ufid_ti = rcu_dereference_raw(table->ufid_ti); >> > >> > >> > 
free_percpu(table->mask_cache); >> > - 
kfree(rcu_dereference_raw(table->mask_array)); >> > 
table_instance_destroy(table, ti, ufid_ti, false); >> > + 
kfree(rcu_dereference_raw(table->mask_array)); >> > } >> > > >-- >Best regards, 
Tonghao



_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to