diff options
| author | Yifeng Sun <pkusunyifeng@gmail.com> | 2021-02-17 13:09:05 -0800 |
|---|---|---|
| committer | Ilya Maximets <i.maximets@ovn.org> | 2021-02-23 12:45:48 +0100 |
| commit | 436ce00da03e0a09df875fc775ebc47b50b5bd01 (patch) | |
| tree | 3c1baa4e1e8821e272fefee429b327f48e7bab6f /lib/tc.c | |
| parent | 8f09b26881e4cbe6cf9c4a5ca82243067d731216 (diff) | |
| download | openvswitch-436ce00da03e0a09df875fc775ebc47b50b5bd01.tar.gz | |
connmgr: Check nullptr inside ofmonitor_report().
ovs-vswitchd could crash under these circumstances:
1. When one bridge is being destroyed, ofproto_destroy() is called and
connmgr pointer of its ofproto struct is nullified. This ofproto struct is
deallocated through 'ovsrcu_postpone(ofproto_destroy_defer__, p);'.
2. Before RCU enters quiesce state to actually free this ofproto struct,
revalidator thread calls udpif_revalidator(), which could handle
a learn flow and calls ofproto_flow_mod_learn(), it later calls
ofmonitor_report() and ofproto struct's connmgr pointer is accessed.
The crash stack trace is shown below:
0 ofmonitor_report (mgr=0x0, rule=0x7f..30, event=NXFME_ADDED,
reason=OFPRR_IDLE_TIMEOUT, abbrev_ofconn=0x0, abbrev_xid=0, old_actions=0x0)
at ofproto/connmgr.c:2160
1 add_flow_finish (ofproto=0x55..b0, ofm=<optimized out>, req=0x0)
at ofproto/ofproto.c:5221
2 modify_flows_finish (req=0x0, ofm=0x7f..f0, ofproto=0x55..b0)
at ofproto/ofproto.c:5823
3 ofproto_flow_mod_finish (ofproto=0x55..b0, ofm=0x7f..f0, req=0x0)
at ofproto/ofproto.c:8088
4 ofproto_flow_mod_learn_finish (ofm=0x7f..f0, orig_ofproto=0x0)
at ofproto/ofproto.c:5439
5 ofproto_flow_mod_learn (ofm=0x7f..f0, keep_ref=true, below_limitp=0x0)
at ofproto/ofproto.c:5499
6 xlate_push_stats_entry (entry=0x7f..48, stats=0x7f..10, offloaded=false)
at ofproto/ofproto-dpif-xlate-cache.c:127
7 xlate_push_stats (xcache=<optimized out>, stats=0x7f..10, offloaded=false)
at ofproto/ofproto-dpif-xlate-cache.c:181
8 revalidate_ukey (udpif=0x55..40, ukey=0x7f..60, stats=0x7f..18,
odp_actions=0x7f..50, reval_seq=5655486242,
recircs=0x7f..40, offloaded=false)
at ofproto/ofproto-dpif-upcall.c:2294
9 revalidate at ofproto/ofproto-dpif-upcall.c:2683
10 udpif_revalidator at ofproto/ofproto-dpif-upcall.c:936
11 ovsthread_wrapper at lib/ovs-thread.c:423
12 start_thread () from /usr/lib64/libpthread.so.0
13 clone () from /usr/lib64/libc.so.6
At the time of crash, the involved ofproto was already deallocated:
(gdb) print *ofproto
$1 = ..., name = 0x55d907602820 "nsx-managed", ..., ports = {...,
one = 0x0, mask = 63, n = 0}, ..., connmgr = 0x0, ...
This patch fixes it.
VMware-BZ: #2700626
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Acked-by: William Tu < u9012063@gmail.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Diffstat (limited to 'lib/tc.c')
0 files changed, 0 insertions, 0 deletions