During udpif_create(), we register callbacks for handling upcalls and
purging the datapath; however, in the corresponding udpif_destroy() we
never did this. This could potentially lead to dereference of
uninitialized memory in the userspace datapath if the main thread
destroys the udpif then executes an OpenFlow packet-out.
Fixes: e4e74c3a2b9a ("dpif-netdev: Purge all ukeys when reconfigure pmd.")
Fixes: 623540e4617e ("dpif-netdev: Streamline miss handling.")
Reported-by: William Tu <[email protected]>
Signed-off-by: Joe Stringer <[email protected]>
---
ofproto/ofproto-dpif-upcall.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
index 0543c78e8790..8276668c7a50 100644
--- a/ofproto/ofproto-dpif-upcall.c
+++ b/ofproto/ofproto-dpif-upcall.c
@@ -434,6 +434,9 @@ udpif_destroy(struct udpif *udpif)
{
udpif_stop_threads(udpif);
+ dpif_register_dp_purge_cb(udpif->dpif, NULL, udpif);
+ dpif_register_upcall_cb(udpif->dpif, NULL, udpif);
+
for (int i = 0; i < N_UMAPS; i++) {
cmap_destroy(&udpif->ukeys[i].cmap);
ovs_mutex_destroy(&udpif->ukeys[i].mutex);
--
2.8.2
_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev
