diff options
| author | Yifeng Sun <pkusunyifeng@gmail.com> | 2020-04-09 11:37:39 -0700 |
|---|---|---|
| committer | William Tu <u9012063@gmail.com> | 2020-04-10 08:20:45 -0700 |
| commit | 134e6831acca48f10df3d59b8e1567c24dd925d2 (patch) | |
| tree | 143c597b440265f880b24eb6e2361bea060abc06 /tests/system-traffic.at | |
| parent | 02f641e2c583799eb38d3b4a59ba5872da04c6d9 (diff) | |
| download | openvswitch-134e6831acca48f10df3d59b8e1567c24dd925d2.tar.gz | |
system-traffic: Check frozen state handling with TLV map change
This patch enhances a system traffic test to prevent regression on
the tunnel metadata table (tun_table) handling with frozen state.
Without a proper fix this test can crash ovs-vswitchd due to a
use-after-free bug on tun_table.
These are the timed sequence of how this bug is triggered:
- Adds an OpenFlow rule in OVS that matches Geneve tunnel metadata that
contains a controller action.
- When the first packet matches the aforementioned OpenFlow rule,
during the miss upcall, OVS stores a pointer to the tun_table (that
decodes the Geneve tunnel metadata) in a frozen state and pushes down
a datapath flow into kernel datapath.
- Issues a add-tlv-map command to reprogram the tun_table on OVS.
OVS frees the old tun_table and create a new tun_table.
- A subsequent packet hits the kernel datapath flow again. Since
there is a controller action associated with that flow, it triggers
slow path controller upcall.
- In the slow path controller upcall, OVS derives the tun_table
from the frozen state, which points to the old tun_table that is
already being freed at this time point.
- In order to access the tunnel metadata, OVS uses the invalid
pointer that points to the old tun_table and triggers the core dump.
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Co-authored-by: Yi-Hung Wei <yihung.wei@gmail.com>
Signed-off-by: William Tu <u9012063@gmail.com>
Diffstat (limited to 'tests/system-traffic.at')
| -rw-r--r-- | tests/system-traffic.at | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 4a39c929c..3ed03d92b 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -611,6 +611,16 @@ NS_CHECK_EXEC([at_ns0], [ping -q -c 3 10.1.1.100 | FORMAT_PING], [0], [dnl 3 packets transmitted, 3 received, 0% packet loss, time 0ms ]) +dnl Test OVS handles TLV map modifictions properly when restores frozen state. +NS_CHECK_EXEC([at_ns0], [ping 10.1.1.100 > /dev/null &]) + +AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0x88,len=4}->tun_metadata1"]) +sleep 1 +AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0x99,len=4}->tun_metadata2"]) +sleep 1 +AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0xaa,len=4}->tun_metadata3"]) +sleep 1 + OVS_APP_EXIT_AND_WAIT([ovs-ofctl]) OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP |