On 19 May 2016 at 08:52, Ben Pfaff <[email protected]> wrote: > On Mon, May 16, 2016 at 08:08:01PM -0700, Joe Stringer wrote: >> During udpif_create(), we register callbacks for handling upcalls and >> purging the datapath; however, in the corresponding udpif_destroy() we >> never did this. This could potentially lead to dereference of >> uninitialized memory in the userspace datapath if the main thread >> destroys the udpif then executes an OpenFlow packet-out. >> >> Fixes: e4e74c3a2b9a ("dpif-netdev: Purge all ukeys when reconfigure pmd.") >> Fixes: 623540e4617e ("dpif-netdev: Streamline miss handling.") >> Reported-by: William Tu <[email protected]> >> Signed-off-by: Joe Stringer <[email protected]> >> --- >> ofproto/ofproto-dpif-upcall.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c >> index 0543c78e8790..8276668c7a50 100644 >> --- a/ofproto/ofproto-dpif-upcall.c >> +++ b/ofproto/ofproto-dpif-upcall.c >> @@ -434,6 +434,9 @@ udpif_destroy(struct udpif *udpif) >> { >> udpif_stop_threads(udpif); >> >> + dpif_register_dp_purge_cb(udpif->dpif, NULL, udpif); >> + dpif_register_upcall_cb(udpif->dpif, NULL, udpif); >> + > > Good catch. > > Acked-by: Ben Pfaff <[email protected]>
Thanks, applied to master, branch-2.5 and (without the purge_cb) branch-2.4. _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
